Persónuvernd (Island) - 2022020363: Difference between revisions
mNo edit summary |
|||
Line 77: | Line 77: | ||
}} | }} | ||
The Icelandic DPA imposed a fine in the amount of | The Icelandic DPA imposed a fine in the amount of ISK 2,000,000 (€13,270) on the City of Reykjavík for several GDPR violations in relation to the use of Google Cloud Services in primary schools. | ||
== English Summary == | == English Summary == | ||
Line 86: | Line 86: | ||
A so-called “processing file”, containing all relevant information about the data being processed in Google’s student system. Among others, almost every service included students’ names and e-mail addresses and additional information about their parents or social security numbers that can be added by the students. | A so-called “processing file”, containing all relevant information about the data being processed in Google’s student system. Among others, almost every service included students’ names and e-mail addresses and additional information about their parents or social security numbers that can be added by the students. | ||
Secondly, | Secondly, a Data Protection Impact Assessment. In the DPIA, among other things, the controller stated that the goal of using Google’s systems in schools was that of supporting the academic progress of students. Further, with respects to data retention and deletion of personal data, the DPIA stated that most data is retained for the whole school year and that teachers are encouraged to delete data. With respect to the relationship with Google, the DPIA specified that a processing agreement was in place and it contained instructions in compliance with [[Article 28 GDPR#3|Article 28(3) GDPR]]. The controller thus concluded from the DPIA that it had taken adequate measures to mitigate the risks to rights and freedoms of primary school students. | ||
Thirdly, the City of Reykjavík attached the data processing agreement | Thirdly, the City of Reykjavík attached the data processing agreement. The agreement between the City of Reykjavík and Google stipulated that the City of Reykjavík was the controller and Google the processor. The agreement also stated that the controller instructs the processor on the processing of personal data, but this is limited to certain cases. Further, it contained provisions on the security of processing, transfers of personal data and other obligations. | ||
In addition, the controller attached Google's terms and Google's privacy policy | In addition, the controller attached Google's terms and Google's privacy policy concerning its cloud services. Google’s terms specify the information that google is provided with by the controller and information that google collects itself, either information that is added by users or device, log and location information based on the use of its services. Terms also state that google processes users’ information collected when using its services only to provide those services and this is processed in accordance with Google’s privacy policy. Google’s privacy policy differentiates between customer data and service data: customer data relates to information that the City of Reykjavík or the users of Google’s student system transmit to Google through the system and it is covered by the processing agreement; whereas service data is data collected or generated by Google during the provision and administration of its cloud services, which is processed in accordance with its privacy policy. | ||
Lastly, in its comments, the controller submitted that the systems are used approximately by 8,500 students and it claimed that it has done everything it could in order to ensure compliance with the GDPR. | Lastly, in its comments, the controller submitted that the systems are used approximately by 8,500 students and it claimed that it has done everything it could in order to ensure compliance with the GDPR. | ||
Line 101: | Line 101: | ||
As a preliminary observation, the DPA stressed the fact that it is of utmost importance to ensure that personal data of children in an educational context is processed in accordance with the GDPR, in particular with the principles of proportionality and data minimization. Also, the DPA held, this implies that the purpose of processing of such personal data must be defined narrowly. | As a preliminary observation, the DPA stressed the fact that it is of utmost importance to ensure that personal data of children in an educational context is processed in accordance with the GDPR, in particular with the principles of proportionality and data minimization. Also, the DPA held, this implies that the purpose of processing of such personal data must be defined narrowly. | ||
First, as regards the liability of processing, the DPA found that since the City of Reykjavík decided to make use of Google systems in elementary schools, it should be considered a controller under the GDPR. However, in light of the comments and explanations provided by the City of Reykjavík, the DPA | First, as regards the liability of processing, the DPA found that since the City of Reykjavík decided to make use of Google systems in elementary schools, it should be considered a controller under the GDPR. However, in light of the comments and explanations provided by the City of Reykjavík, the DPA agreed that the City of Reykjavík cannot be considered a controller with respect to the processing of service data by Google, as it is Google that determines the purposes and scope of processing and is a controller in that case. Still, the DPA considered that because it is the City of Reykjavík that decided to make use of Google’s services, this does not release completely the City from its responsibility. As a matter of fact, controllers are responsible for ensuring that processing activities always comply with the principles of processing of [[Article 5 GDPR]] and it is responsible for taking the appropriate measures to ensure this under [[Article 24 GDPR]]. Further, when someone is entrusted with processing on behalf of the controller, it is the controller who is obliged to only choose processors that provide sufficient guarantees for the processing, as per [[Article 28 GDPR#1|Article 28(1) GDPR]]. The DPA clarified, making reference to [https://edpb.europa.eu/our-work-tools/documents/public-consultations/2020/guidelines-072020-concepts-controller-and_en EDPB Guidelines 7/2020], that when entrusting processing to a service provider, the controller ''“should carefully assess whether the service provider enables it to fulfill its responsibility in an adequate manner, with respect to the nature, scope, context and purpose of the processing and taking into account possible risks associated with the processing for the registered.”'' Further, the controller should be responsible for stipulating adequate processing agreements and to ensure that the principle of purpose limitation is ensured. | ||
Hence, the DPA found that when a service provider uses personal data to which it has gained access on the basis of a processing agreement with a controller and uses such data for its own purposes, it should be considered a controller, | Hence, the DPA found that when a service provider uses personal data to which it has gained access on the basis of a processing agreement with a controller and uses such data for its own purposes, it should be considered a controller. In the case at issue, such processing should also be considered in violation of the GDPR. In particular, the DPA held that the controller should have ensured that the personal data would only be processed for the purposes specified by it. Since the processing of service data was not included in the processing agreement, the controller could not assess the necessity of such processing and thus failed to fulfil its obligations under [[Article 5 GDPR#1|Article 5(1) GDPR]], [[Article 24 GDPR#1|Article 24(1) GDPR]] and [[Article 28 GDPR#1|Article 28(1) GDPR]]. | ||
Second, the DPA found that, since the data processing agreement did not preclude Google from further processing of personal data the agreement is to be considered in violation of [[Article 28 GDPR#3a|Article 28(3)(a) GDPR]]. | Second, the DPA found that, since the data processing agreement did not preclude Google from further processing of personal data the agreement is to be considered in violation of [[Article 28 GDPR#3a|Article 28(3)(a) GDPR]]. | ||
Third, as regards the lawfulness of processing, the controller | Third, as regards the lawfulness of processing, the controller claimed that the processing of personal data of students via Google systems wass necessary for performance of a task in the public interest under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. The DPA held that in this case the personal data being processed must be necessary for a specific purpose and must reflect the principle of proportionality, taking also into account the fact that personal data of children deserves special protection. With regard to customer data, the DPA concluded that the personal data of students is processed for specified purposes and may be considered necessary for the school to carry out its task in the public interest. However, as regards the processing of service data by Google, the DPA reiterated the obligation of the controller to make sure that the students’ data is not used for purposes other than those specified for the processing, as per [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]]. Since Google’s privacy policy specifies that Google may use service data for further purposes and that the controller failed to take a position on such processing, the latter acted in violation of [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]] and [[Article 6 GDPR#4|Article 6(4) GDPR]]. | ||
Fourth, as regards the requirements of privacy by design and by default, the DPA concluded that the controller failed to adopt the necessary organizational measures to enforce such principles. Also, with respect to the principle of storage limitation under [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]], the DPA found that the controller | Fourth, as regards the requirements of privacy by design and by default, the DPA concluded that the controller failed to adopt the necessary organizational measures to enforce such principles. Also, with respect to the principle of storage limitation under [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]], the DPA found that the controller retained data in respect of this principle but it is not clear from Google’s privacy policy for cloud services how long the latter stores personal data. The DPA thus held that it is the responsibility of the controller to obtain relevant information about this and take a position in this regard. | ||
Fifth, the DPA held that the DPIA carried out by the controller could not be considered complete as it did not include all minimum requirements of [[Article 35 GDPR#7|Article 35(7) GDPR]]. In particular it failed to include the processing operations on service data by Google in the description of processing under point (a); it failed to assess the necessity of processing under point (b) and it also did not adequately assess the risks to rights and freedoms of individuals under point (c). | Fifth, the DPA held that the DPIA carried out by the controller could not be considered complete as it did not include all minimum requirements of [[Article 35 GDPR#7|Article 35(7) GDPR]]. In particular it failed to include the processing operations on service data by Google in the description of processing under point (a); it failed to assess the necessity of processing under point (b) and it also did not adequately assess the risks to rights and freedoms of individuals under point (c). |
Revision as of 15:37, 19 December 2023
Persónuvernd - 2022020363 | |
---|---|
[[File:|center|250px]] | |
Authority: | Persónuvernd (Island) |
Jurisdiction: | Iceland |
Relevant Law: | Article 5 GDPR Article 6 GDPR Article 24 GDPR Article 25 GDPR Article 28(1) GDPR Article 28(3) GDPR Article 35(7) GDPR Article 44 GDPR Article 58(2)(d) GDPR Article 83(2) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | |
Fine: | 2,000,000 ISK |
Parties: | n/a |
National Case Number/Name: | 2022020363 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Icelandic |
Original Source: | Personuvernd.is (in IS) |
Initial Contributor: | co |
The Icelandic DPA imposed a fine in the amount of ISK 2,000,000 (€13,270) on the City of Reykjavík for several GDPR violations in relation to the use of Google Cloud Services in primary schools.
English Summary
Facts
The Icelandic DPA initiated an ex officio investigation aimed at assessing the use of Google cloud solutions and Google Workspace for education in elementary schools of the City of Reykjavík. On 25 February 2022, the DPA sent a questionnaire to the City of Reykjavík, the controller and carried out its assessment based on the answers and following documents produced by the controller:
A so-called “processing file”, containing all relevant information about the data being processed in Google’s student system. Among others, almost every service included students’ names and e-mail addresses and additional information about their parents or social security numbers that can be added by the students.
Secondly, a Data Protection Impact Assessment. In the DPIA, among other things, the controller stated that the goal of using Google’s systems in schools was that of supporting the academic progress of students. Further, with respects to data retention and deletion of personal data, the DPIA stated that most data is retained for the whole school year and that teachers are encouraged to delete data. With respect to the relationship with Google, the DPIA specified that a processing agreement was in place and it contained instructions in compliance with Article 28(3) GDPR. The controller thus concluded from the DPIA that it had taken adequate measures to mitigate the risks to rights and freedoms of primary school students.
Thirdly, the City of Reykjavík attached the data processing agreement. The agreement between the City of Reykjavík and Google stipulated that the City of Reykjavík was the controller and Google the processor. The agreement also stated that the controller instructs the processor on the processing of personal data, but this is limited to certain cases. Further, it contained provisions on the security of processing, transfers of personal data and other obligations.
In addition, the controller attached Google's terms and Google's privacy policy concerning its cloud services. Google’s terms specify the information that google is provided with by the controller and information that google collects itself, either information that is added by users or device, log and location information based on the use of its services. Terms also state that google processes users’ information collected when using its services only to provide those services and this is processed in accordance with Google’s privacy policy. Google’s privacy policy differentiates between customer data and service data: customer data relates to information that the City of Reykjavík or the users of Google’s student system transmit to Google through the system and it is covered by the processing agreement; whereas service data is data collected or generated by Google during the provision and administration of its cloud services, which is processed in accordance with its privacy policy.
Lastly, in its comments, the controller submitted that the systems are used approximately by 8,500 students and it claimed that it has done everything it could in order to ensure compliance with the GDPR.
After requests to provide further information and an exchange of comments, the DPA issued a report detailing the results of its assessment. After hearing explanations and viewpoints of the controller on the DPA’s assessment, the DPA published its final decision.
Holding
On the basis of all the above, the DPA first of all clarified that customer data, including data that relates to projects, tests, and any other data registered by the students should always be considered personal data under the GDPR if it can be linked to specific students and that the same applies to service data which can be linked to them.
As a preliminary observation, the DPA stressed the fact that it is of utmost importance to ensure that personal data of children in an educational context is processed in accordance with the GDPR, in particular with the principles of proportionality and data minimization. Also, the DPA held, this implies that the purpose of processing of such personal data must be defined narrowly.
First, as regards the liability of processing, the DPA found that since the City of Reykjavík decided to make use of Google systems in elementary schools, it should be considered a controller under the GDPR. However, in light of the comments and explanations provided by the City of Reykjavík, the DPA agreed that the City of Reykjavík cannot be considered a controller with respect to the processing of service data by Google, as it is Google that determines the purposes and scope of processing and is a controller in that case. Still, the DPA considered that because it is the City of Reykjavík that decided to make use of Google’s services, this does not release completely the City from its responsibility. As a matter of fact, controllers are responsible for ensuring that processing activities always comply with the principles of processing of Article 5 GDPR and it is responsible for taking the appropriate measures to ensure this under Article 24 GDPR. Further, when someone is entrusted with processing on behalf of the controller, it is the controller who is obliged to only choose processors that provide sufficient guarantees for the processing, as per Article 28(1) GDPR. The DPA clarified, making reference to EDPB Guidelines 7/2020, that when entrusting processing to a service provider, the controller “should carefully assess whether the service provider enables it to fulfill its responsibility in an adequate manner, with respect to the nature, scope, context and purpose of the processing and taking into account possible risks associated with the processing for the registered.” Further, the controller should be responsible for stipulating adequate processing agreements and to ensure that the principle of purpose limitation is ensured.
Hence, the DPA found that when a service provider uses personal data to which it has gained access on the basis of a processing agreement with a controller and uses such data for its own purposes, it should be considered a controller. In the case at issue, such processing should also be considered in violation of the GDPR. In particular, the DPA held that the controller should have ensured that the personal data would only be processed for the purposes specified by it. Since the processing of service data was not included in the processing agreement, the controller could not assess the necessity of such processing and thus failed to fulfil its obligations under Article 5(1) GDPR, Article 24(1) GDPR and Article 28(1) GDPR.
Second, the DPA found that, since the data processing agreement did not preclude Google from further processing of personal data the agreement is to be considered in violation of Article 28(3)(a) GDPR.
Third, as regards the lawfulness of processing, the controller claimed that the processing of personal data of students via Google systems wass necessary for performance of a task in the public interest under Article 6(1)(f) GDPR. The DPA held that in this case the personal data being processed must be necessary for a specific purpose and must reflect the principle of proportionality, taking also into account the fact that personal data of children deserves special protection. With regard to customer data, the DPA concluded that the personal data of students is processed for specified purposes and may be considered necessary for the school to carry out its task in the public interest. However, as regards the processing of service data by Google, the DPA reiterated the obligation of the controller to make sure that the students’ data is not used for purposes other than those specified for the processing, as per Article 5(1)(b) GDPR. Since Google’s privacy policy specifies that Google may use service data for further purposes and that the controller failed to take a position on such processing, the latter acted in violation of Article 5(1)(b) GDPR and Article 6(4) GDPR.
Fourth, as regards the requirements of privacy by design and by default, the DPA concluded that the controller failed to adopt the necessary organizational measures to enforce such principles. Also, with respect to the principle of storage limitation under Article 5(1)(e) GDPR, the DPA found that the controller retained data in respect of this principle but it is not clear from Google’s privacy policy for cloud services how long the latter stores personal data. The DPA thus held that it is the responsibility of the controller to obtain relevant information about this and take a position in this regard.
Fifth, the DPA held that the DPIA carried out by the controller could not be considered complete as it did not include all minimum requirements of Article 35(7) GDPR. In particular it failed to include the processing operations on service data by Google in the description of processing under point (a); it failed to assess the necessity of processing under point (b) and it also did not adequately assess the risks to rights and freedoms of individuals under point (c).
Last, the DPA held that the controller also failed to ensure a safe transfer of personal data to the US and thus violated Article 44 GDPR.
In light of all this, the DPA first ordered the City of Reykjavík to bring its processing operations into compliance with the GDPR under Article 58(2)(d) GDPR. In addition to this, given the entity, nature and gravity of the infringements, the fact that they relate to personal data of children and may potentially include sensitive personal data, the DPA imposed an administrative fine in the amount of 2,000,000 ISK on the controller under Article 83(2)(a) GDPR and Article 83(2)(g) GDPR.
Comment
This is just one of five decisions of the Icelandic DPA in the context of investigations on the use of Google Cloud Services in primary schools in five different municipalities, all resulting in the imposition of a fine. Other decisions are available at: https://www.personuvernd.is/urlausnir
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.
Solutions An assessment of Reykjavík City's use of Google's cloud solution in elementary school work Case no. 2022020363 6.12.2023 Children's personal information is specially protected. When IT systems are to be used in elementary school work, it is important to pay attention to that protection and comply with the requirements of the privacy legislation to the utmost. In this case, elementary schools in the city of Reykjavík used information technology systems without paying attention to the requirements of the privacy legislation. The Personal Protection Agency's assessment of the use of the system revealed multiple violations of the legislation by the municipality. ---- Personal data protection has proposed to the City of Reykjavík to bring the processing of primary school students' personal information in Google's student system, Google Workspace for Education, into compliance with the privacy legislation. In addition, an administrative fine of ISK 2,000,000 has been imposed on the City of Reykjavík. The audit was one of five audits carried out by the Personal Protection Agency on the use of cloud services in elementary school work by the country's larger local authorities. They were part of a wider project initiated by the European Privacy Council. The Personal Data Protection's audits looked at how the personal data of elementary school students in the municipalities was processed in the Google student system. The audits revealed that Google processes the personal data of elementary school students beyond the instructions of the local authorities and it was not considered that it was demonstrated that the processing was within the purpose defined by the local authorities for the processing of personal data in the student system. The conclusion of the Personal Protection Agency was that there were multiple violations by the City of Reykjavík of the personal protection legislation with the use of the student system. The City of Reykjavík did not seem to have fulfilled its liability obligations when the decision was made to use Google as a processor, and the processing agreement with Google did not meet all the requirements of the privacy legislation. In addition, the City of Reykjavík did not fulfill its liability obligations, which relate to the fact that the personal data of elementary school students must not be processed for other and incompatible purposes than those specified by the municipality for the processing. Furthermore, the City of Reykjavík did not fulfill its obligations related to data minimization and built-in and default personal protection. The City of Reykjavík's assessment of the impact on personal protection due to the processing did not meet the minimum requirements of the personal protection regulations. The City of Reykjavík also did not ensure the safe transfer of personal information to the United States until June 10 last. when the equivalence decision regarding the transfer of personal data from Europe to the United States was approved. When deciding on a fine, i.a. considered that the City of Reykjavík's offenses concerned the personal data of children who enjoy special protection according to the personal data protection legislation, information about children's purely private matters was recorded in the student system and it was considered likely that their sensitive personal data was recorded in the system. It was also considered that there was a risk associated with personal data being transferred to the United States and processed there without appropriate protective measures being taken. On the other hand, it was also considered that no damage appeared to have occurred as a result of the violations, the City of Reykjavík responded to the Data Protection's messages in handling the case in a clear and concise manner and revised the assessment of the impact on personal protection due to the processing and the procedure in relation to the retention period of personal information during the audit . Decision due to an assessment of the City of Reykjavík's use of Google's cloud solution in elementary school activities in case no. 2022020363: i Procedure and delimitation of a case With a letter from the Personal Protection Agency to the City of Reykjavík on February 25, 2022, the organization's assessment of the municipality's use of cloud-based services in elementary school work was announced. The audit was part of a broader project initiated by the European Privacy Board (hereinafter EDPB), where the members of the Council deal with common issues in a coordinated manner. The EDPB prioritized the use of cloud services by public bodies in 2022, and for that reason the Personal Protection Agency decided to focus audits on the country's larger local authorities and their use of cloud services in primary school work. The aforementioned decision was also made taking into account the Personal Protection Authority's policy in audits and proactive checks for 2022. According to the policy, the processing of children's personal information in all kinds of smart solutions and software systems was a priority in that year, but in addition, the Personal Protection Authority always emphasizes the protection of children's privacy, taking into account that their personal data is specially protected according to the personal data protection legislation. At the same time, the result of the institution's initiative examination was considered in case no. 2021040879, which examined the implementation of Seesaw Learning Inc.'s cloud solution. (hereinafter Seesaw) in primary schools in the city of Reykjavík and came to the conclusion that it had not been in accordance with the personal protection legislation. The audit was carried out in such a way that the Data Protection Agency sent the City of Reykjavík a questionnaire, by email on February 25, 2022, which was related to privacy considerations regarding the choice and use of cloud services in elementary school work. The City of Reykjavík's answers, along with accompanying documents, were received on April 29, 2018. In a letter dated May 19, 2022, the Reykjavík City Data Protection Agency announced that the audit would be limited to the municipality's use of Google's cloud solution, Google Workspace for Education, in primary school work (hereafter the Google student system). For that reason, Personal Protection requested more information and data. The City of Reykjavík's answers, along with accompanying documents, were received on June 17, 2017. Taking into account those answers, the Data Protection Authority also requested further information, with letters to the municipality on 4 August s.á. and 16 January 2023. The City of Reykjavík's answers were received on 8 September 2022 and 7 February 2023. In the aforementioned letters, the Data Protection Authority has requested information and data relating to: 1. Processing register. 2. Processing agreement with Google and other agreements about the service. 3. Instructions given by the City of Reykjavík to Google regarding the processing. 4. Processing authorization. 5. Assessment of the impact on personal protection. 6. Additional safeguards in connection with the possible transfer of personal information to the United States. By letter on July 10, 2023, the City of Reykjavík Data Protection Agency sent a report on the assessment, detailing the results of the agency's review of the case data. The City of Reykjavík was given the opportunity to comment on the content of the report. In addition, the City of Reykjavík was given the opportunity to present comments regarding possible orders from the Personal Protection Authority and the imposition of an administrative fine. By letter of 31. s.m. The City of Reykjavík requested more information and explanations regarding certain points in the Personal Protection report. Personal protection responded with a letter on 30 August s.á. The City of Reykjavík's comments on the evaluation report of the Personal Protection Agency and objections regarding possible orders and the imposition of administrative fines, together with supporting documents, were received on September 15. When resolving the case, all of the above-mentioned data have been taken into account, although not all of them are separately explained in the following decision. II. The main data of the case 1. Processing file The City of Reykjavík's answers were accompanied by a processing file for the processing of personal information in the Google student system. According to the processing register, the following personal information about students is processed in the system: 1. Registration of students in the Google student container: Names and email addresses of students, together with information about year and school. 2. Solving projects, group projects and tests: Students' names and email addresses. It is stated that students themselves can enter additional information, e.g. social security number or information about parents. 3. Guidance and feedback: Students' names and email addresses. It is stated that teachers are instructed that grades should not be entered into the Google school environment. Only guidance and/or feedback (progress guidance) may be inserted. 4. Communication between students and teachers through a chat program (Google Chat): Names and email addresses of students. 5. Communication between students and teachers via e-mail: Names and e-mail addresses of students and teachers. 6. Communication between students and teachers in connection with feedback and comments in assignments (comments): Names and email addresses of students and teachers. It is stated that students can enter additional information themselves. 7. A student shares data with another user within the system or a teacher shares data with students (Google Drive): Students' names and email addresses. It is stated that students can enter additional information themselves. 8. Communication between the teacher and the student via a remote meeting system (Google Meet): Names and email addresses of the students. It is stated that the equipment is used for distance learning. If the camera is turned on, users are visible. 9. Parent interviews via teleconference system: Names and email addresses. It is stated that the system is used to hold meetings between parents and teachers if it is not possible to attend school to hold meetings. 10. Status reports from teachers to parents: Student names and parents' email addresses. It is stated that the system automatically sends a project status report to parents after the teacher has manually entered information about email addresses into the Google Classroom program. The function is only activated at the request of parents/guardians. 11. Student track registration/access closed: Names and email addresses of students, along with information about class and school. 12. Forgot password/change password: Username. 2. Privacy impact assessment Here we will explain the main things that appear in the assessment of the City of Reykjavík on the impact on personal protection, due to the aforementioned processing of personal information. The assessment is dated June 13, 2022, and was accompanied by the City of Reykjavík's responses on June 17, 2022. The evaluation contains a description of processing operations. It is reported that during the installation of a central Google system, each school will be assigned its own area within the teaching solution. The implementation includes input from student management systems, e.g. Mentor, which are already in use in school work and access controls to the solution. Information from the City of Reykjavík's Active Directory system is coordinated in order to set up workspaces for students and teachers. The Google student system is managed centrally by the City of Reykjavík and extensions and other programs cannot be connected to the salary except with the involvement of the city's IT services. Students use the Google student system either with a PC, tablet or Chromebook. Students can use the computers both at school and at home. In addition, you can find a description of all the solutions that fall under the core program of the Google student system (e. Core Services). These are i.a. Google Drive, Google Docs, Google Sheets and Google Slides. Reference is also made to the processing register for a more detailed description of processing operations, cf. discussion in Chapter II. 1. above. The assessment states that only general personal information is processed in the Google student system. The City of Reykjavík's assessment also includes a description of the purpose and legality of the processing. Reference is made to the fact that the City of Reykjavík must ensure school-age children in accordance with paragraph 3. Article 5 Act no. 91/2008 on primary schools. As a result of paragraph 1 Article 78 Constitution of the Republic of Iceland, cf. law no. 33/1944, that local authorities are guaranteed autonomy over methods and ways of implementing that project, i.e. on m. on the implementation of information technology to the extent permitted by other laws. Furthermore, reference is made to Articles 2, 13, 24 and 25. Act no. 91/2008 on primary schools on the obligations of primary schools, students' rights and what should be covered in the main curriculum. It also discusses the current main curriculum of elementary schools about the goals and requirements for elementary schools and teachers. The goals of using the Google Student System are stated as follows: · To support the academic progress of students. · To meet the needs of students. · Enabling students to participate in school activities despite illness or limited access to school. · To strengthen the network of students and teachers and to reduce the fact that students become isolated in their absence from school and fall out of the routine. · Making student project collaboration possible and easier inside and outside of school. · Improving students' access to data. · To promote students in the use of collaborative systems. · To increase diversity in teaching methods. · To encourage students to use web solutions and follow technological innovations. · To create a collaboration platform for teachers and students in the municipality's primary schools. · To fulfill the municipality's statutory obligations towards students. The assessment states, with reference to Articles 13 and 18. Act no. 91/2008 on elementary schools and Article 7 a. of regulation 897/2009, that the processing authorization is used under item 5. Article 9 Act no. 90/2018 on personal protection and processing of personal information. It is not expected that sensitive personal information will be registered in the system. A comment on this item of the assessment states: "[Is] there anything that protects particularly sensitive information in the event that it is entered into the system?" It's hard to expect children to follow it [strictly] not to register such things." Regarding the assessment of whether processing operations are necessary and moderate, the assessment states that the processing of personal information has been limited in various ways in order to create a safe working environment for students to carry out project work in accordance with modern teaching methods and the conditions of the main curriculum. Other processing that falls outside the core processing (e. Core Services) is omitted as far as possible. It is reported that various measures have been taken to limit the processing of personal information in the solution in favor of built-in and default privacy protection with optional settings. It also states that Google processes service data as part of the operation and management of the cloud solution. Examples of that data are given, but more specifically it says in English: 1. Cloud payments and transactions. 2. Cloud settings and configurations. 3. Technical and operational details of your use of Workspace Services. 4. Your direct communications. In the discussion of necessity and proportionality, it is also stated that it is not permitted to record sensitive personal information in students' school projects. Elsewhere in the evaluation, considerations relating to necessity are discussed, taking into account the advantages of using the Google student system over other similar systems. In terms of built-in and default privacy protection, the assessment states that with an optional setting, the City of Reykjavík has, among other things, chose not to work with students' user images, students can only receive e-mails that are sent within the student system, and users' rights to install and connect other software have been limited, and processing with cookies has been severely limited. Users also have access to various additional Google services, e.g. Youtube and Google-Translate, Google-Maps and Google-Earth but without being logged in and their personal information is therefore not collected during use. Furthermore, the collection of analytical data has been blocked, e.g. with the blocking of Google Analytics. Elsewhere in the evaluation, it says that Google's terms of contract for the student system are such that users should have control over the information that is placed in the system, which means that users can delete information, which can however be revoked if the access is active. Furthermore, the information is not shared with third parties or used for marketing purposes. In the evaluation it says, among other things, regarding the retention period and deletion of data that students' school assignments and teacher's comments are saved and preserved in the student system during school attendance/employment. Teachers are regularly encouraged to erase and delete data, e.g. at the end of the school year, which are not considered to be returned according to the law on public archives. Projects are generally preserved until the end of the year, but may be preserved longer in special cases based on special processing authorizations. Users have control over their data while they are at work or at school and access is disabled 30 days after school ends. On the other hand, it is technically possible to revoke data that a student has deleted while the person's access is active. 90 days after access is deactivated, it is deleted as well as the data belonging to it. After 20 days, the access and data will be completely irreversible. It also says that it can take up to 180 days for data to be permanently deleted from the Google student system. Regarding the relationship with the processor, Google, the assessment states that the processing agreement contains various instructions to the processor in accordance with the provisions of paragraph 3. Article 25 Act no. 90/2018, cf. a-h-paragraph 3 Article 28 of regulation (EU) 2016/679. Technical measures in the student system can then be equated with instructions to processors, e.g. by saving data within Europe and by blocking cookies. Regarding the possible transmission of personal data to insecure third countries, it is further stated that Google has confirmed that if data is chosen to be stored in Europe, it will not be stored elsewhere. According to what is stated in the evaluation, however, it seems that there was reason to have standard contract terms, on the transfer of personal information to unsafe third countries, as part of the processing contract. The assessment contains an overview of the risks to the rights and freedoms of the data subjects and actions to respond. The City of Reykjavík describes a total of 43 risk factors, but only a few of them will be discussed here. Firstly, the risk that hosting will be moved outside of Europe or that sub-processors outside of Europe will be used is mentioned. The risk is assessed as low. The City of Reykjavík refers to the fact that the so-called Enterprise license ensures that data is preserved within the European Economic Area. In addition, it is stated that the processing agreement contains provisions on the right of the responsible party to object to changes to sub-processors. Another risk that will be mentioned here is that it is possible to enter sensitive or unnecessary personal information about students during login or project work. Risk is assessed as average. It is stated that teachers, students and parents are instructed not to enter sensitive personal information into the solution. In addition, it says that teachers monitor the content that students post. With proper training, instructions and supervision, there is less chance of sensitive personal information being recorded in the solution. The third risk that will be mentioned here is that the contracts between the parties are insufficient. The risk is assessed as average. It is stated that the processing agreement has been reviewed by the lawyers of the school and leisure department of the municipality and the city's privacy protection officer. Fourthly, there is the risk of working with log data or other metadata of students, their parents or guardians, for the sake of marketing or when creating a personal profile, as the case may be with default settings. Risk is assessed as low. It is stated that according to information from the processor, analysis data is processed in a non-personally identifiable manner. Finally, the risk of users connecting to programs and/or using insecure plugins will be mentioned here. Risk is assessed as average. It is stated that measures have been taken to block the possibility of using add-ons. The remaining risk is assessed as low in all 43 cases. In the conclusion of the assessment, it is stated that the School and Leisure Department has taken adequate technical and organizational measures that reduce the risks to the rights and freedoms of the registered persons. The City of Reykjavík believes that the decision to use the Google student system in school activities was taken on a factual basis and is defensible. The decision is based on the fact that it has been ascertained that it is possible to enforce the requirements made by the City of Reykjavík and the Personal Protection Act. In the review of the personal protection representative of the city of Reykjavík during the evaluation, it says, among other things, that it is important that the security of elementary school students' personal information is ensured by organizational and technical measures in order to minimize the risk of potential processing of sensitive personal information, although it is not considered as such in the available assessment. The school and leisure department needs to carry out internal audits in collaboration with the data protection officer to make sure that the remaining risks are in line with the results of the assessment. It is stated that the personal protection representative does not consider it necessary to propose that prior consultation or special permission from the Personal Protection Agency be sought in accordance with Articles 30 and 31. Act no. 90/2018. The City of Reykjavík sent the Data Protection Authority an updated assessment of the impact on personal protection due to the processing of students' personal information in the Google student system during the audit. The updated assessment is dated September 12, 2022. It is noted that the City of Reykjavík has considered it necessary to assess whether there has been a change in the risk associated with processing operations, cf. Paragraph 11 Article 35 of Regulation (EU) 2016/679, in light of information from Google that the processing of information, other than primary data, may take place outside the European Economic Area. The assessment identifies 79 risk factors, compared to 43 risk factors in the previous assessment, but only part of them relate to the transfer of personal information to third countries. 3. Processing agreement and other Google terms 3.1 Processing Agreement The City of Reykjavík's responses included a copy of the municipality's processing agreement with Google (ie. Data Processing Amendment to Google Workspace and/or Complementary Product Agreement) from September 24, 2021. According to the municipality's responses, the processing agreement underwent minor changes on August 14, 2023. Only that will be reviewed here agreement that was in force between the parties when the audit began and it is sufficient to trace the main points stated therein. The processing agreement stipulates the mutual obligations of Google and the customer, i.e. Reykjavík City. According to the agreement, Google is the processor of the customer's personal information and the City of Reykjavík is responsible for the respective processing. Then the customer can also be a processor of the actual responsible party, in which case Google is a sub-processor as discussed in more detail in article 5.1 of the agreement. The customer's personal data is defined in article 2.1, but it says in English: Customer Personal Data means the personal data contained within the Customer Data, including any special categories of personal data defined under the European Data Protection Law. Article 5.3 states that the processing agreement does not apply to the sharing of personal information from the Google student system for additional services. The City of Reykjavík's response states that the municipality has blocked the installation of all additional Google services. Appendix 1 to the agreement (e. Appendix 1) also contains a description of the types of personal information and categories of registered persons, in accordance with paragraph 3. Article 28 of regulation (EU) 2016/679. There is, among other things, given that it is the personal information that is communicated to Google through the cloud service, i.e. The Google student system, by the customer or users of the system (e. End Users). The appendix also contains a description of the subject of the processing, its duration, nature and purpose. It is stated that the subject of the processing is to provide the service according to the referenced service agreement (e. Google Workspace Service Summary) and technical assistance in relation to it. The processing is ongoing while the contract is valid between the parties and until the customer's personal information has been deleted. Google processes the customer's personal data for the purpose of providing the service and technical support in accordance with the applicable terms. Article 5.2.1 of the parties' processing agreement states that the City of Reykjavík must instruct Google to process the customer's personal information, but it says in English: Customer's Instructions. Customer instructs Google to process Customer Personal Data only in accordance with applicable law: (a) to provide, secure and monitor, the Services and TSS; (b) as further specified via Customer's use of the Services and any applicable technical support; (c) as documented in the form of the Agreement, including these Terms; and (d) as further documented in any other written instructions given by Customer and acknowledged by Google as constituting instructions for purposes of these Terms (collectively, the "Instructions"). The processing agreement also contains various provisions regarding the security of personal information. For example, Article 7.1.1 states that Google will implement and maintain security measures to protect the customer's information against accidental or unlawful deletion or loss, alteration, disclosure or unauthorized access. These security measures are described in more detail in Appendix 2 to the processing agreement. Article 7.1.2 refers to the fact that Google ensures that the employees, contractors and sub-processors who have access to the customer's personal information are subject to confidentiality. According to article 7.5.2 a. the City of Reykjavík is authorized to carry out or have a third party carry out an audit to verify Google's compliance with the processing agreement. The processing agreement also contains provisions on the transfer of personal information to third countries. According to Article 10.1, Google is authorized to work with the customer's information in each of the states that Google or its sub-processors have confirmed, subject to the fulfillment of the obligations stated in other provisions of Article 10. and further obligations in the terms of service. The processing agreement also contains a link to standard contractual clauses for the transfer of personal data to third countries. The transfer of personal information to third countries will be discussed in more detail in chapter III. 7. hereafter. The processing agreement also discusses Google's right to use sub-processors when processing personal information, and there is also a link to an overview of Google's sub-processors, which is available on the company's website. Pursuant to Article 11.1, the City of Reykjavík agrees that Google may use the specified sub-processors. Article 11.4 also states that Google must notify the City of Reykjavík of new sub-processors, at least 30 days before a new sub-processor starts processing personal data. The city of Reykjavík has 90 days from the time Google announces the new sub-processor to oppose the change by terminating the contract immediately. The processing agreement also stipulates that Google will assist the City of Reykjavík in ensuring that obligations according to 32.-36. art. of regulation (EU) 2016/679 are fulfilled, i.e. in connection with the security of processing, notifications of security breaches in the processing of personal data, assessment of the impact on personal protection and prior consultation, cf. articles 7.1.4, 7.2 and 8. It is also noted in article 9.2 that Google will assist the City of Reykjavík in responding to requests related to the rights of registered individuals. Finally, the processing agreement contains provisions on the deletion of the customer's information. According to article 6.2, Google must delete or return the customer's information in accordance with the instructions of the City of Reykjavík. Deletion of the information may take up to 180 days, unless the law requires the retention of the information. 3.2 Other Google Terms 3.2.1 Google's terms of consent for the processing of personal information in the student system When customers purchase access to the Google student system, they are informed of Google's terms of consent for the processing of personal information in the student system (e. Google Workspace for Education School Consent). It says that schools may provide Google with certain personal information of students and teachers, such as their name and email address, when using the Google Student system. In addition, Google may collect certain personal information directly from users of the system, e.g. phone number or profile picture or other information that users put on their Google login. The terms also say that Google collects information about the use of the system, but more specifically it says in English: Google also collects information based on the use of our services. This includes: · device information, such as the hardware model, operating system version, unique device identifiers and mobile network information including the user's phone number; · log information, including details of how a user used our service, device event information and the user's Internet protocol (IP) address; · location information, as determined by various technologies including IP address, GPS and other sensors; · unique application numbers, such as application version number; spirit · cookies or similar technologies which are used to collect and store information about a browser or device, such as preferred language and other settings. The terms state that users' personal information, which is collected when using the system's core services (e. Core Services), is only used to provide those core services. It is noted that the information is not used for marketing purposes (e. advertising purposes). The system's basic services include Gmail, Google Chat, Google Docs, Google Drive and Google Meet. The terms also state that Google's general privacy policy (e. Google Privacy Policy) applies to Google's additional services (e. Additional Services) that customers can choose to use alongside the basic services of the student system. At the end of the terms, it is also stated that Google processes the personal data of students in the basic services of the Google student system in accordance with Google's privacy policy for the student system (i.e. Google Workspace for Education Privacy Notice) and Google's general privacy policy. More specifically, it says in English: By clicking 'I agree' below, you consent on behalf of your institution to Google's processing of the personal information of students in the Core Services as described above and in the Google Workspace for Education Privacy Notice and the Google Privacy Policy, and agree to obtain parent or guardian consent for any Additional Services that you allow students under the age of 18 to use. 3.2.2 Privacy Policies for the Google Student System and Google Cloud Services In the privacy policy for the Google student system (e. Google Workspace for Education Privacy Notice), it is reported that Google collects two types of information when the basic services of the student system are used, one is the customer's personal information (e. Customer Personal Data), which is covered by the parties' processing agreement, and on the other hand service data (e. Service Data). Regarding the processing of service data, reference is made to Google's privacy policy for cloud services (Google Cloud Privacy Notice). In that policy you can find a more detailed description of the processing of service data, but it says in English: Service Data is the personal information Google collects or generates during the provision and administration of the Cloud Services and related technical support, excluding any Customer Data and Partner Data. Service Data consists of: · Account information. We collect the data you or your organization provide when creating an account for Cloud Services or entering into a contract with us (username, names, contact details and job titles). · Cloud payments and transactions. We keep reasonable business records of charges, payments, and billing details and issues. · Cloud settings and configurations. We record your configuration and settings, including resource identifiers and attributes, and service and security settings for data and other resources. · Technical and operational details of your use of Cloud Services. We collect information about usage, operational status, software errors and crash reports, authentication details, quality and performance metrics, and other technical details necessary for us to operate and maintain Cloud Services and related software. This information includes device identifiers, identifiers from cookies or tokens, and IP addresses. · Your direct communications. We keep records of your communications and interactions with us and our partners (for example, when you provide feedback, ask questions or seek technical support). The privacy policy for the Google student system states that service data is primarily used to provide the service, but also for the purposes described in more detail in Google's privacy policy for cloud services. The latter policy states that service data is also used to provide technical support, refine the service and other services used by customers, introduce new functionality to customers or related services, prevent misuse of the service and make the service more secure. With regard to processing authorization, it is referred to that the processing is either necessary to fulfill contracts with responsible parties, due to a legal obligation that rests on Google or in the interests of the company's legitimate interests. III. Explanations and viewpoints of the City of Reykjavík The City of Reykjavík's responses state that according to the municipality's agreement with Google, which came into effect on October 1, 2020, its elementary schools use the Plus (Core Service) service route of the Google student system. It is estimated that approx. 8,500 elementary school students used the student system in the 2021-2022 school year. The City of Reykjavík objects to everything that is stated in the assessment report of the Personal Protection Authority regarding possible violations of the privacy legislation and claims that the municipality has done everything that can be expected to ensure that the processing of primary school students' personal information in the Google student system, for which the municipality is the responsible party, meets in all respects the provisions of the Personal Protection Act no. 90/2018 and the Personal Protection Regulation (EU) 2016/679. In this section, the main explanations and points of view of the City of Reykjavík, on which the decision in the case is based, will be explained. 1. Liability for processing In the responses of the City of Reykjavík, it is stated that the municipality is entrusted with a variety of tasks in the field of teaching elementary school students. This project consists to a large extent in the processing of personal information, i.a. information of the students themselves, and the municipality is responsible for that processing. In modern society, it is necessary to use information systems in order to do most of these tasks, and therefore it may be necessary to look for IT services, i.e. on m. cloud services, from an external service provider. In those cases, the municipality entrusts the cloud service provider to take care of a certain part of the processing as a processor. It is reported that the City of Reykjavík has entered into a processing agreement with Google regarding the processing of personal information in the Google student system. The processing agreement delimits the processing that Google is tasked with, i.e. on m. the purpose of the processing and the methods to be used. Google has been assigned to work with the personal information in the student system that is defined in the processing agreement as customer personal data (e. Customer Personal Data). It also states that in order for the cloud service provider to be able to offer and maintain the cloud service, it is necessary for him to also carry out various types of processing with the personal data that he is assigned to process as a processor, for other purposes, e.g. for the purpose of increasing the reliability or speed of the Service, changing its configuration or functionality and developing improved versions of it. In those cases, the cloud service provider himself, without consultation with his customers, decides on the purpose and methods of the processing and is therefore an independent party responsible for that processing. In the opinion of the City of Reykjavík, Google is therefore the independent responsible party for the processing of so-called service data (e. Service Data) in the Google student system. The City of Reykjavík has no involvement in the processing of service data, and it is therefore disputed that the municipality and Google may be jointly responsible parties for the processing, as was considered according to the audit report of the Data Protection Authority. 2. Processing agreement According to the City of Reykjavík's answers, the municipality's processing agreement with Google, which is reported in Chapter II. 3.1, reviewed by the City of Reykjavík with the aim of ensuring compliance with the provisions of Article 28. of regulation (EU) 2016/679. The City of Reykjavík objects to the fact that the processing agreement does not exclude Google from being able to process personal data beyond the municipality's instructions, as was pointed out in the Personal Protection's audit report. According to article 5.2 (previously 5.2.1) of the processing agreement, the City of Reykjavík instructs Google to process the customer's information, i.e. on m. on working only with personal data in accordance with the parties' agreement and applicable law (e. Customer instructs Google to process Customer Data in accordance with the applicable Agreement (including this Addendum) and applicable law only [...]). The City of Reykjavík also claims that the ample time limits laid down in Article 11.4 of the processing agreement, for objecting to a new subprocessor, give the municipality enough time to communicate directly to the processor its objections to the proposed changes to the composition of subprocessors, before it would be necessary to terminate the processing contract in protest. The City of Reykjavík also considers it problematic how the municipality should be able to list in a processing agreement, exhaustively, all possible types of personal identifiers and other personal information that the municipality and its users may process in the Google student system, taking into account the nature of the cloud service. In the municipality's opinion, it is more efficient and clearer to control in procedures and through supervision which personal data is permitted to be processed. At least it is the municipality's position that the processing agreement of the parties specifies all the points required in paragraph 3. Article 28 of regulation (EU) 2016/679. 3. Other Google Terms In the responses of the City of Reykjavík, it is stated that statements made unilaterally by Google, without any involvement of the municipality, are not part of the parties' processing agreement, do not change it, do not supersede it, and therefore in no way reduce the obligations imposed on Google as a processor . Reference is made to the fact that the municipality has not submitted the statements that Personal Protection relies on in its audit report, i.e. on m. school consent for student use of the Google student system (e. Google Workspace for Education School Consent), privacy policy for the Google student system (e. Google Workspace for Education Privacy Notice) and privacy policy for Google cloud services (e. Google Cloud Privacy Notice). The municipality objects to these statements being used as a basis for the assessment. On the other hand, the City of Reykjavík does not object to Google processing personal information in accordance with the mentioned terms. 4. Processing service data The City of Reykjavík's assessment of the impact on personal protection due to the processing of personal information in the Google student system states that Google processes service data as part of the operation and management of the cloud solution. Examples of that data are given, but more specifically it says in English: 1. Cloud payments and transactions. 2. Cloud settings and configurations. 3. Technical and operational details of your use of Workspace Services. 4. Your direct communications. The City of Reykjavík's response states that service data is not covered by the municipality's processing agreement with Google. Google itself has declared that the company is the responsible party for the processing, but it comes i.a. stated in the e-mail communication between the City of Reykjavík and Google from August 15, 2022. In that communication, Google refers to the fact that the privacy policy for cloud services (i.e. Google Cloud Privacy Notice) applies to the processing of service data. The referenced policy states that service data is personal information collected by Google or generated by the company's cloud services. It is noted that service data does not include the information defined in the parties' processing agreement as the customer's information. The City of Reykjavík states that it cannot state how Google processes personal information in service data, since the municipality is not the party responsible for the processing. The municipality believes it is urgent that the Personal Protection Authority makes a clear distinction between the responsible parties that work with personal data in the student system. The City of Reykjavík has no power, neither according to the personal protection legislation nor according to the provisions of the parties' processing agreement, to enforce information about the processing for which Google is the sole responsible party. In addition, it says that the municipality has, by nature, very limited information about that processing. In the evaluation report of the Personal Protection Authority, it is found that the processing register of the City of Reykjavík does not specify the collection of students' personal information in service data. The City of Reykjavík's letter of objection to the report states that the municipality is not the owner of the information system in question or responsible for all the processing that takes place in the system. It is pointed out that the municipality's processing register is constantly being reviewed and updated and that the processing registers are being updated in accordance with the comments that have been received and in accordance with the new and updated terms for the use of the Google student system. 5. Lawfulness of processing 5.1 Processing authorization and purpose The City of Reykjavík's answers state that the processing of elementary school students' personal information in the Google student system is based on section 5. Article 9 Act no. 90/2018 where it is necessary for works carried out in the public interest, i.e. to provide students with instruction in accordance with the expectations and requirements for such activities. Referring to various provisions of law no. 91/2008 on primary schools, i.a. 2., 13., 17., 24., 27. and 47. a. art. of the law, in addition to the provisions of regulations no. 897/2009 and no. 1040/2011. Reference is also made to section 26.1 of the main primary school curriculum, which stipulates that information and technical education should be taught, which includes media education, information and communication technology and computer use. It is reported that the main purpose of using the Google student system is for students to be able to complete tasks electronically in accordance with the provisions of the law on elementary schools and the main curriculum of elementary schools. In 2017, the municipality's elementary schools took the initiative to examine cloud solutions for use in learning and teaching, both to fulfill the provisions of the elementary school's main curriculum on information and technology education and to follow the rapid changes in the technological world. The conclusion of the inspection was that, apart from the Google student system, other similar teaching solutions that met the needs of the school community were not available. The City of Reykjavík considers it necessary to use solutions such as the Google student system to achieve the requirements made in the main curriculum, e.g. to be able to use software for writing and statistical tasks, for web design, programming, image processing, sound processing and video production. The system has become a necessary part of daily school work in individualized learning, education for all and training students in the digital skills stipulated in the primary school curriculum. The Google student system is also the only holistic teaching solution that supports most of the world's languages and therefore gives students the opportunity to practice their native language under the guidance of a teacher. As regards service data, the City of Reykjavík's explanations state that the municipality has only instructed Google to process personal data that is defined in the party's processing agreement as the customer's personal data. The processing of service data falls outside the processing contract, and Google is therefore the independent responsible party for that processing. 5.2 Data averaging and minimization The City of Reykjavík objects that it is the municipality's role to demonstrate that the processing of primary school students' personal information in the Google student system is limited to what is necessary for the purpose of the processing. The municipality is neither the owner nor the operator of the student system and therefore does not have the power, facilities or rights to provide information on all processing of primary school students' personal information in the Google student system. The municipality believes that it will only be required to provide information about the processing for which it is responsible. According to the City of Reykjavík's explanations, the processing of personal information in the student system has been limited by various optional settings, e.g. if the students' email system has been closed in such a way that students can only receive emails sent within the system, the rights of users to install and connect other software or teaching solutions into the Google environment have been limited, in order to prevent unnecessary processing of personal data, and processing with cookies has been limited, e.g. Google Additional Services cookies have been blocked, i.e. Youtube, Google Translate, Google Maps and Google Earth. Furthermore, the collection of other analytical data in the Google system has been blocked, e.g. by blocking Google Analytics collection within the solution. The Google student system also offers various controls that the controller can use to instruct the processor to promote built-in and default privacy protection in the process. The City of Reykjavík aims to minimize all processing of personal information about those registered in the Google student system. All settings in the system are regularly reviewed by the system administrator and configured for that purpose. Furthermore, the students' email addresses are now the first two letters of the first name and last name or middle name and a running serial number, which means that the students' identities are non-personally identifiable. 5.3 Retention period of personal information According to the City of Reykjavík's answers, elementary school students' projects are preserved in the Google student system until the end of the year, but may be preserved longer in special cases based on other processing authorizations according to Act no. 90/2018. Students have access to the student system until the end of their primary schooling and are encouraged to erase and delete data at the end of each school year. Students' projects will be deleted at the latest when their schooling ends. A small part of the data may be mandatory, as it is mandatory to return a sample of the students' project work to the City Archives. In general, however, it is not considered that data or documents in the system fall under the obligation to return according to Act no. 77/2014. In the evaluation report of the Personal Protection Authority, it is noted that the City of Reykjavík has not demonstrated the need to preserve the information of students in the Google student system throughout their schooling. This position of the institution is opposed by the municipality. It is pointed out that in the assessment it was not requested that the municipality demonstrate such a necessity, but that the municipality deems it necessary to revise the previous instructions on the preservation of projects, taking into account the position of the Personal Protection Agency. Among other things, projects that do not fall under the definitions of project-based learning will be removed at the end of the school year after the student/guardian has been given instructions and the opportunity to save the projects outside of the Google student system. At the end of each level, a central deletion/cleaning of the student system's data stores will also be performed. 6. Privacy impact assessment According to the City of Reykjavík's responses, the municipality carried out an assessment of the impact on privacy due to the processing of primary school students' personal information in the Google student system before the teaching solution was implemented in its primary schools. The City of Reykjavík has deemed it appropriate to carry out an assessment of the impact on personal protection where processing operations include the running and merging of databases and therefore fall under the provisions of section 6. Article 2 advertisement no. 828/2019. It has also been considered that children's personal information is being processed and that group is considered to be in a bad position vis-à-vis the responsible party, cf. provisions of item 7. Article 2 of the advertisement. It also says that the assessment was revised in February 2022 in light of the decision of the Personal Protection Authority, dated December 20, 2021, regarding the use of the Seesaw student system. Furthermore, the assessment was revised during the assessment and the City of Reykjavík, with reference to it, requested prior consultation with the Personal Protection Agency in accordance with Article 30. Act no. 90/2018 and Article 36 of regulation (EU) 2016/679. In the City of Reykjavík's objections to the Personal Data Protection's audit report, it is stated that the municipality considers the existing assessment to be detailed and professionally done. Therefore, it is specifically objected that the evaluation should have included processing operations that Google performs as an independent responsible party and that the City of Reykjavík has no involvement in, i.e. processing of personal information for purposes other than those for which the municipality has assigned Google to work. The municipality has no authority over that processing and very limited information about it. In the municipality's opinion, this is not a correct understanding of the provisions of the personal protection legislation, especially Article 35. of regulation (EU) 2016/679, that in the assessment of the impact on personal protection, processing operations that are the responsibility of other responsible parties shall be discussed. It is also objected that the assessment does not meet point b of paragraph 7. Article 35 of the regulation, on the assessment of whether processing operations are necessary and moderate compared to their purpose. There are no milder ways to achieve the requirements made in the main curriculum, than to use solutions such as the Google student system. The City of Reykjavík has also taken various organizational and technical measures for the use of the student system. Only the personal data of students that the City of Reykjavík considers necessary for the benefit of school work are recorded, and the processing is also restricted by technical access controls, built-in and default personal protection and education for students, parents and teachers, who make sure that students use the system only for the specified purposes. It is also objected that there has not been an adequate assessment of the risk to the rights and freedoms of the registered, cf. point c, paragraph 7 Article 35 of the regulation. Finally, in the City of Reykjavík's objections, a comment is made that Personal Protection did not comply with the municipality's request for prior consultation. 7. Transfer of Personal Information to the United States The City of Reykjavík's responses state that the processing of students' personal information in the Google student system may take place in the United States, although this has not been confirmed. The municipality has directed inquiries to Google about whether data processed in the student system is stored or processed in the United States. According to Google's answers, the company cannot confirm whether information is actually processed in the United States, but it also states that all sharing of information to unsafe third countries is based on the updated standard contractual terms of the European Union and is protected by technical, legal and organizational security measures. The City of Reykjavík has changed the description of the processing in question in the processing file and assessment of the impact on personal protection, taking into account Google's explanations. The City of Reykjavík's responses also refer to the fact that Google has presented descriptions of the additional protection measures that have been taken in connection with the possible transfer of personal information to third countries (e. Safeguards for international data transfers with Google Cloud). Reference will only be made here to the technical measures described there. The referenced descriptions state that Google logs its employees' access and actions within the environment. It also states that data is encrypted in transit as well as at rest. FIPS 104-2 encryption in transit and so-called "Application Layer Transport Security" (ALTS) and "Transport Layer Security" (TLS) are used. Data-at-rest encryption is supported by the Advanced Encryption Standard. The encryption key is at least 128 bits for data stored in the Google Student system. The key is further encrypted with another 128-bit key stored by the "Google key management service" (KMS). Google also offers additional controls, e.g. customers have the option to encrypt their own data and control the retention of the encryption key for certain services. In the City of Reykjavík's updated assessment of the impact on privacy, it is noted that this possibility is limited, so far. It is only possible to encrypt individual documents or create an encrypted document and not to encrypt the entire data storage of all users. The City of Reykjavík has therefore not activated this option at this time. The City of Reykjavík's explanations also state that the United States is now a party to a special agreement on the transfer of personal information from Europe to the United States. The agreement states that the United States guarantees adequate protection for personal information transferred from Europe to American companies on its basis in the sense of the personal data protection regulation, cf. equivalence decision of the European Commission, dated July 10, 2023. This applies to companies that formally enter into obligations under the agreement, including Google. 8. Objection due to the possible imposition of a fine With the assessment report of the Data Protection Authority, the City of Reykjavík was granted the right to object to possible orders and the application of administrative fines. The report states that the available data seemed to indicate that the municipality had violated the provisions of Articles 5, 6, 25, 26, 28, 30, 35, 44 and 46. of Regulation (EU) 2016/679, but violations of those provisions may result in fines according to paragraphs 2 and 3. Article 46 Act no. 90/2018, cf. Paragraphs 4 and 5 Article 83 of the regulation. The audit report also outlines the issues that the Personal Protection Authority believed could lead to the imposition of a fine and affect the amount of the fine, according to paragraph 1. Article 47 Act no. 90/2018, cf. Paragraph 2 Article 83 of the regulation. The City of Reykjavík refers to the fact that the municipality has shown a strong willingness to cooperate with the Data Protection Authority and has answered all of the agency's inquiries in handling the case in a clear and concise manner. Also, the municipality does not believe there is reason to conclude that it has violated the provisions of the privacy legislation. In addition, it should be borne in mind that the Personal Protection Agency has so far not used milder measures in the case. Furthermore, consideration should be given to the handling of similar cases in the other Nordic countries, e.g. in Denmark, where the association of municipalities there has had plenty of time to communicate to the personal protection authorities proposals from the municipalities for improvements. - With regard to the individual items mentioned in the Personal Protection's audit report, it should first be mentioned that the processing in question relates to the personal data of children, which enjoy special protection according to the personal protection legislation, and that violations of their processing are therefore considered serious, cf. Number 1. Paragraph 1 Article 47 Act no. 90/2018 and point a of the 2nd paragraph Article 83 of the regulation. The report also refers to the fact that, taking into account the functionality of the Google student system and the age of the students, it is likely that sensitive personal information or information of a sensitive nature is recorded in the system. In the City of Reykjavík's objections, it is stated that the municipality prohibits the processing of sensitive personal information in the Google student system and supervises that the ban is enforced. In addition, assignments are generally not carried out on topics that concern the personal interests of students and students are instructed not to record personal identification numbers or other personal information. The City of Reykjavík points out that it is unproven that sensitive personal information was recorded in the student system and that there was no indication of an intention to record such information. Secondly, it is based on the assessment report of the Personal Protection Authority that processing authorization does not exist in terms of the collection of service data for other and incompatible purposes than those specified for the processing of personal data in the student system by the City of Reykjavík. The processing of service data is also considered incompatible with the principles of transparency, proportionality and data minimization, and the violations are considered serious in this regard, cf. Number 1. Paragraph 1 Article 47 of the Act and point a of the 2nd paragraph Article 83 of the regulation. The City of Reykjavík's objection states that the municipality will not be held responsible for relevant processing carried out by another independent responsible party. In addition, it is objected that the Personal Protection Authority is allowed to bring the same alleged offence, i.e. Google's processing of service data that is not covered by the party's processing agreement, under a long list of alleged violations. This does not comply with paragraph 2. Article 47 Act no. 90/2018. Thirdly, it is based on the assessment report of the Personal Protection Agency that the City of Reykjavík's violations are extensive, as approx. 8,500 elementary school students used the Google student system in the 2021-2022 school year, cf. Number 1. Paragraph 1 Article 47 of the Act and point a of the 2nd paragraph Article 83 of the regulation. In the City of Reykjavík's objections, it is pointed out that it is not stated what the Personal Protection Authority's assessment is based on. The City of Reykjavík believes that in order to be able to come to the conclusion that there are extensive violations according to section 1. Paragraph 1 Article 47 of the Act, an objective assessment based on transparent numerical information must be carried out. According to statistical information from Statistics Iceland, the percentage of students in the municipality who used the Google student system was 18% of the total number of students in elementary schools in the country in the school year 2021-2022 and 29% of students in the capital area. The municipality does not consider the ratio extensive in this context. Fourthly, it is disputed that it is stated in the assessment report of the Personal Protection Agency that there is a risk that personal data is transferred to the United States and processed there without appropriate protective measures being taken and that the violation is therefore considered serious, cf. Numbers 1 and 4. Paragraph 1 Article 47 of the Act and points a and d of paragraph 2. Article 83 of the regulation. The City of Reykjavík considers it completely unexplained by the Personal Protection Agency why this alleged violation is considered serious for that reason alone, regardless of its nature. There is a detailed description of the additional protection measures that were applied during the processing until the so-called Privacy Framework came into effect. Fifthly, in the assessment report of the Personal Protection Authority, it is based on the fact that the City of Reykjavík's offense was committed with gross negligence, cf. Number 2. Paragraph 1 Article 47 of the Act and point b of the 2nd paragraph 83 of the regulation. Reference is made to the fact that the agency published instructions on January 7, 2022, following the decision in case no. 2021040879, regarding the implementation of information technology systems where children's personal information is processed, but that it will not be seen that the City of Reykjavík has taken them into account with regard to the processing of personal information in the Google student system. The City of Reykjavík strongly opposes this position. It is noted that compliance with the aforementioned instructions was not part of the existing audit. During the implementation of the Google student system, there were no other guidelines than the general guidelines for cloud solutions that were issued by the Ministry of Finance and the Economy in collaboration with Personal Data Protection at the end of 2016. After the student system was put into use, it was emphasized that take into account relevant guidelines, decisions and descriptions of good practice. To that end, the City of Reykjavík has updated the assessment of the impact on personal protection and risk assessment, taking into account the above-mentioned instructions of the Personal Protection Agency and the instructions of the Norwegian supervisory authority on the use of the Google student system in elementary schools. Finally, the amount of the fine specified in the assessment report is contested as excessively high, especially in view of the decisions of the Personal Protection Authority in case no. 2022020414 regarding the use of the Seesaw student system by the city of Kópavogur and in case no. 2020010355 regarding InfoMentor ehf. IV. Conclusion 1. Delimitation of case This decision pertains to the processing of personal information of elementary school students in the city of Reykjavík in the Google student system, cf. definitions 2. and 4. no. Article 3 Act no. 90/2018 on personal protection and processing of personal information and items 1 and 2. Article 4 of Regulation (EU) 2016/679, in accordance with the scope of the law and the regulation, cf. Paragraph 1 Article 4 of the law. The student system is a "SaaS" cloud solution (Software as a Service), i.e. a solution that provides users with the ability to use specific software as needed. The municipality has estimated that approx. 8,500 students used the system in the 2021-2022 school year. From the data of the case, it can be concluded that in the student system, on the one hand, the customer's personal data (e. Customer Personal Data), which is covered by the parties' processing agreement, and on the other hand personal data in service data (e. Service Data), which is covered in Google's terms and conditions, are processed, e.g. in Google's terms of consent for the processing of personal information in the student system (e. Google Workspace for Education School Consent), Google's privacy policy for cloud services (e. Google Cloud Privacy Notice) and privacy policy for the Google student system (e. Google Workspace for Education Privacy Notice). The customer's personal information is, according to the definition of the processing agreement, the personal information that the City of Reykjavík or the users of the Google student system transmit to Google through the student system. The City of Reykjavík's processing register specifies the personal information entered into the system. According to the process file, assignments and tests are solved in the system, students can share data within the system, and teachers can enter formative assessments and/or feedback and send a project status report to parents. In addition, teachers can use the system for remote teaching and take parent meetings through remote conferencing equipment. Students can also use the system for communication with teachers and other students, e.g. through instant messaging and email. According to Google's privacy policy for cloud services, service data is personal information collected by Google or generated by the company's cloud services. More specifically, it is user information (e. Account information), e.g. usernames and names, information about settings on the service (e. Cloud settings and configurations), technical information and diagnostic data (e. Technical and operational details of your usage of Cloud Services), e.g. device identifiers, identifiers from cookies and IP addresses, and direct user interactions with Google, e.g. in connection with technical support (e. Your direct communications). According to Google's terms of consent for the processing of personal information in the student system, Google further collects information, i.a. about the devices in which the system is used, how the system is used, the location of devices as determined by different technologies, i.e. on m. IP address, GPS and other sensors, language settings and other settings. Is this information used to provide basic services in the system. Taking into account the definition of personal data in the privacy legislation, cf. Number 2. Article 3 Act no. 90/2018 and No. 1 Article 4 regulation (EU) 2016/679, Personal Protection considers that projects, tests and other data that students register in the Google student system are always considered their personal data if it is possible to connect them to a specific student, even though it is not at all. With the same reasoning, information that includes teacher feedback on student assignments, student-teacher interactions, status reports and parent interviews are also considered personal student information if it can be linked to a specific student. The same applies to service data and other data processed in the Google student system, e.g. user information, technical information, analytical information and location information that can be linked to specific students. 2. In general, the processing of primary school students' personal information in information technology systems Personal protection has previously discussed the points of view that must be laid as a basis for the explanation of Act no. 90/2018 and Regulation (EU) 2016/679 when children's personal information is processed in IT systems in primary school work. Refer in this regard to discussion in chapter II. 2. in the institution's decision in case no. 2021040879. The conclusion of the chapter states, among other things: [Although information technology systems can be useful to teachers, parents and schoolchildren during school work and their use can be a part of and assist in the children's education, their use entails risks for the children's fundamental rights. Considering the young age and development of the children, the position they are in with respect to the schools, the amount of data that is at risk of being collected during their schooling, the sensitive nature of the information that may be recorded, the impact of the collection of information on the identity of the children and the access of parties to the private market to this information, the provisions of the personal protection legislation must be followed to the utmost when digital solutions are implemented in school activities. It applies to all provisions of the privacy legislation, but it should be mentioned in particular how important it is that the principle of proportionality and minimization of data is respected. The personal data of school children collected in any type of information technology system must be sufficient, appropriate and limited to what is necessary for the purposes of the processing. In order for this principle to be respected in practice, the purpose of processing the personal data must be defined narrowly and restrictively. Otherwise, it is not possible to define which personal data is directly necessary for the processing. It must also be borne in mind that even though the processing of personal information is considered suitable for teaching, it does not automatically mean that the processing is necessary for that purpose. 3. Responsible party and processor The person responsible for the processing of personal information is compatible with Act no. 90/2018 and Regulation (EU) 2016/679 is the named responsible party. Does this mean an individual, legal entity, government or other entity that alone or in cooperation with others determines the purposes and methods of processing personal data, cf. Number 6. Article 3 of the Act and number 7 Article 4 of the regulation. If two or more responsible parties jointly decide the purpose of processing and the methods for it, they shall be considered to be joint responsible parties, cf. Article 23 of the Act and paragraph 1 Article 26 of the regulation. Processor is an individual, legal entity, government or other entity that works with personal data on behalf of the controller, cf. Number 7. Article 3 of the Act and number 8. Article 4 of the regulation. 3.1 Liability for processing According to EDPB instructions no. 7/2020, on the terms controller and processor, as they were updated on July 7, 2021, when deciding who is considered to be the controller of processing and who is considered to be a processor, it is not only necessary to look at the available data, for example processing agreement, but also how the arrangements were actually made, i.e. who has in practice made a decision on the purpose and methods of processing personal data. From the documents of the case, it is clear that the City of Reykjavík made a decision to use the Google student system in the municipality's elementary schools. By deciding to use a specific information technology system in elementary school work to provide students with instruction, and directing students to use that system, the City of Reykjavík determines in practice the purpose and methods of processing the students' personal information in the system. In the opinion of the Data Protection Authority, the City of Reykjavík is therefore responsible for the processing of students' personal information in the Google student system. The City of Reykjavík has objected to being considered the responsible party for the processing of service data and other data, which is carried out in order to be able to provide basic services in the Google student system (hereafter referred to as service data), according to Google's terms, where the company determines a single purpose and methods of that processing. According to point a of the 3rd paragraph Article 28 and Article 29 of regulation (EU) 2016/679, cf. Paragraph 3 Article 25 Act no. 90/2018, the processor shall therefore only process personal data to which he has access on behalf of the responsible party, that there are instructions from the responsible party, unless he is obliged to do so according to the laws of the Union or the laws of a member state. The processor cannot therefore make a decision to process the personal data it comes across as a processor for other purposes without consultation with the original responsible party. According to the data available in the case and the City of Reykjavík's explanations, the municipality has not instructed Google to process service data. There is no agreement on the processing of this data in accordance with the provisions of Article 26. of regulation (EU) 2016/679, cf. Article 23 Act no. 90/2018. Accordingly, and taking into account the aforementioned provisions, the Data Protection Authority agrees with the views of the City of Reykjavík that Google is considered the responsible party for the processing of personal information of the municipality's primary school students in service data. On the other hand, the City of Reykjavík is responsible for the personal data of the municipality's elementary school students being processed in the Google student system, since it is the municipality that makes the decision on the use of the system. Although Google sets out the purpose and methods of processing certain data, according to the above, it does not release the City of Reykjavík from its responsibilities, as will be explained in the following sections. Since this review focuses only on the City of Reykjavík, Google's responsibility in this regard will not be discussed further. 3.2 The City of Reykjavík's responsibility for choosing a cloud service and entering into a contract The party responsible for the processing of personal information is responsible for ensuring that the processing is always in accordance with the principles of personal protection and must be able to demonstrate this, cf. Article 8 Act no. 90/2018 on personal protection and processing of personal information and Article 5 of regulation (EU) 2016/679. The responsible party shall, in this regard, take appropriate technical and organizational measures that take into account the nature, scope, context and purpose of the processing and risks to the rights and freedoms of registered persons to ensure and demonstrate that the processing of personal data meets the requirements of the regulation, cf. Article 23 Act no. 90/2018 and paragraph 1 Article 24 of the regulation. If two or more responsible parties jointly decide the purpose of the processing and the methods for it, they shall be considered to be joint responsible parties, cf. Paragraph 1 Article 26 of the regulation and Article 23 of the law. They shall, in a transparent manner, determine the responsibility of each of them to ensure that the obligations under the regulation are fulfilled by agreement among themselves, unless and to the extent that the responsibility of each responsible party is determined by the laws of the Union or the laws of a member state to which the responsible parties are subject. When processing is entrusted to others on behalf of the responsible party, the responsible party shall only seek processors who provide sufficient guarantees that they take appropriate technical and organizational measures so that the processing meets the requirements of the regulation and that the protection of the data subject's rights is guaranteed, cf. Paragraph 1 Article 25 Act no. 90/2018 and paragraph 1 Article 28 of the regulation. Processing by the processor must be covered by a contract or other legal act according to law, which obligates the processor towards the responsible party and where it is specified i.a. subject and purpose of processing, obligations and rights of the responsible party and that the processor only processes personal data according to the documented instructions of the responsible party, cf. Paragraph 3 Article 25 of the Act and paragraph 3 Article 28 of the regulation. As stated in the aforementioned EDPB instructions no. 7/2020 (article 83), when entrusting the processing of personal data to a specific service provider, the controller should carefully assess whether the service provider enables him to fulfill his responsibility in an adequate manner, with respect to the nature, scope, context and purpose of the processing and taking into account the possible risks associated with the processing for the registered. The guidelines also state (articles 37 and 84) that the responsible party must make a final decision to actively approve how the processing is carried out by the processor, at least basically to. In some cases, it may be normal for the processor to be able to make independent decisions in relation to the processing, but then it should be clear which cases these are and to what extent it is considered normal that these decisions fall to the processor. From the examples presented in the guidelines (items 81 and 84) it can also be concluded that when municipalities negotiate with cloud service providers, for purposes similar to those discussed here, it is the responsibility of the municipality, as the party responsible for the processing, to make an adequate processing agreement and ensure that the personal information that is processed under this responsibility is only processed for the purpose that the municipality has specified for the processing. It must also be decided, from the examples referred to, that when a service provider decides on its own to use personal data, to which it gains access on the basis of a processing agreement with a data controller, e.g. to develop its own activities, the service provider is considered the responsible party for that processing, but the processing also involves a violation of regulation (EU) 2016/679. With respect to all of the above and taking into account the circumstances of this case, it is under the responsibility of the City of Reykjavík to choose a cloud service provider that enables the municipality to fulfill its obligations under the privacy legislation in an adequate manner, considering that it is the processing of children's personal information during school work. Accordingly, the City of Reykjavík should have ensured, when it was agreed with Google about the processing of the personal information of the municipality's elementary school students, that the information would only be processed for the purposes specified by the municipality for the processing. To the extent that it could be considered necessary for Google to make independent decisions about the processing of personal information for its services to the City of Reykjavík and the operation of the system, the municipality should also have taken a position on the extent to which such a thing was necessary and permitted. As neither the processing of service data is discussed in the processing agreement between the City of Reykjavík and Google nor in the special agreement between the jointly responsible parties, and with reference to what is stated in the explanations of the City of Reykjavík that the municipality cannot assert in what way Google processes the personal data of elementary school students in service data and has no authority to enforce information about it, it is the conclusion of the Data Protection Authority that the City of Reykjavík has not fulfilled its responsibilities according to Article 8, Article 23. and paragraph 1 Article 25 Act no. 90/2018, cf. Article 5, paragraph 1 Article 24 and paragraph 1 Article 28 of regulation (EU) 2016/679. According to point a of the 3rd paragraph Article 28 of the regulation, cf. Paragraph 3 Article 25 of the law, the processing agreement between the controller and the processor shall in particular stipulate that the processor only processes personal data according to the documented instructions of the controller, unless the processor is otherwise required by law, in which case it must inform the controller before processing begins. Since the existing processing agreement between the City of Reykjavík and Google does not preclude Google from further processing personal data, beyond the instructions of the City of Reykjavík, as the case data suggests that Google actually does, it is also the conclusion of the Data Protection Authority that the processing agreement is not compatible with the aforementioned provisions. According to paragraph 2 and point d of paragraph 3. Article 28 of regulation (EU) 2016/679, cf. Paragraph 3 Article 25 Act no. 90/2018, the processor must notify the responsible party of all planned changes to sub-processors that include the addition of processors or their replacement, thus giving the responsible party the opportunity to object to such changes. In clause 11.4 b. in the processing agreement between the city of Reykjavík and Google, it states that Google will notify the customer of a new subprocessor and the customer has 90 days to object to the change by terminating the agreement immediately. In the City of Reykjavík's explanations, it is claimed that the aforementioned deadline gives the municipality enough time to express its objections to the proposed changes to the sub-processors. In accordance with the aforementioned guidelines of the EDPB no. 7/2020 (article 158) and taking into account the council's report from 17 January 2023 regarding coordinated control measures with the use of cloud services by public entities, the Data Protection Agency agrees with the views of the City of Reykjavík. 4. Lawfulness of processing All processing of personal data must be covered by one of the authorized provisions of Article 9. Act no. 90/2018, cf. Paragraph 1 Article 6 of regulation (EU) 2016/679. In addition, the processing of sensitive personal data must be compatible with one of the additional conditions of paragraph 1. Article 11 of the law, cf. Paragraph 2 Article 9 of the regulation. When evaluating the authorization for processing, the provisions of other laws that apply in each case must also be taken into account. In addition to authorization according to the above, the processing of personal data must be compatible with all the principles of paragraph 1. Article 8 Act no. 90/2018, cf. Paragraph 1 Article 5 of regulation (EU) 2016/679. Among other things, it is stipulated that personal data must be processed in a lawful, fair and transparent manner towards the data subject (paragraph 1 of the legal provision), that it must be obtained for a clearly specified, legitimate and relevant purpose and not further processed for other and incompatible purposes (subsection 2), that they must be sufficient, relevant and not beyond what is necessary based on the purpose of the processing (subsection 3), that they must be preserved in such a form that it is no longer possible to identify registered persons but necessary based on the purpose of processing (item 5) and that it must be processed in such a way that the appropriate security of the personal information is guaranteed (item 6). In addition, responsible parties must be able to demonstrate that the processing of personal information is always compatible with these principles, cf. Paragraph 2 Article 8 of the Act and paragraph 2 Article 5 of the regulation. 4.1 Processing authorization and purpose The responsible party shall determine a clearly specified, legitimate and objective purpose for the processing of personal data and ensure that it is processed lawfully and only for the specified purpose, cf. 1. and 2. numbers. Paragraph 1 Article 8 Act no. 90/2018 and points a and b of paragraph 1. Article 5 of regulation (EU) 2016/679. This means that the processing of personal data must be based on appropriate processing authorizations, and responsible parties must be able to demonstrate that all the conditions of a specific processing authorization are met, cf. Paragraph 2 of referenced articles. In order for the processing of personal information to be legal, its purpose and processing authorizations must be known before processing begins. The City of Reykjavík bases the processing of primary school students' personal information in the Google student system on the authority of Section 5. Article 9 Act no. 90/2018, where it is necessary for works carried out in the public interest, i.e. to provide teaching to elementary school students in accordance with the expectations and requirements for such activities. In the documents of the case and the municipality's explanations, reference is made to various provisions of Act no. 91/2008 on elementary schools as well as the provisions of regulations no. 897/2009 and no. 1040/2011 and the primary school curriculum. It is also noted that the main purpose of using the Google student system is for students to be able to complete tasks electronically in accordance with the provisions of the law on elementary schools and the main curriculum of elementary schools. Personal protection has based its previous findings on the fact that local authorities can support the processing of primary school students' personal information in information technology systems with the authorization of item 5. Article 9 Act no. 90/2018, cf. point e, paragraph 1 Article 6 regulation (EU) 2016/679, in light of the tasks assigned to them by law no. 91/2008 and the legal authorities established by that law. Refer to Chapter III on this point. 4.1 in the aforementioned decision of the institution in case no. 2021040879. The requirement of the processing authorization that processing is necessary for a specific purpose and in the interest of the specified interests reflects the privacy legislation's principle of proportionality. It depends on the circumstances in each case whether processing is considered necessary. The parties responsible are entrusted with a certain assessment in that respect, but they have to assess the necessity for each and every aspect of the processing for the benefit of the defined purpose. The assessment, for each and every aspect of the processing, is determined by the interests of the specific work and whether those interests can be safeguarded in any way that involves limited processing of personal information. In that assessment, the extent of the processing and the nature and content of the information processed must be considered, among other things. Thus, e.g. to make stricter demands regarding the necessity of processing information about purely private matters of individuals that it is fair and natural to keep secret. The processing of sensitive personal information must also be compatible with one of the additional conditions of paragraph 1. Article 11 Act no. 90/2018, cf. Paragraph 2 Article 9 of regulation (EU) 2016/679. In addition, the Personal Protection Agency has also taken as a basis, when assessing the necessity of processing, that it is right to consider whether the registered persons are children, as their personal data enjoys special protection, cf. Section 38 of the preamble to the regulation. In that connection, as regards the processing in question, i.a. to consider the age and maturity of the children, the position they are in in relation to their school, the amount of data that is at risk of being collected during their schooling, and Google's access to their personal information for processing in its own interest. In order to be able to assess the necessity of processing, as well as to ensure its transparency, the purpose of the processing must also be clearly defined in order to prevent almost anything from being included under it. In the existing assessment of the impact on personal protection for the said processing, which is traced in section II. 2., the purpose of the processing is specified in more detail. Taking into account that definition, Personal Protection can consider that the processing of the customer's personal information, i.e. the personal information covered by the processing agreement between the City of Reykjavík and Google may be considered necessary for a project carried out in the public interest or in the exercise of public authority, which the City of Reykjavík carries out according to Act no. 91/2008, and therefore allowed on the basis of item 5. Article 9 Act no. 90/2018, cf. point e, paragraph 1 Article 6 of regulation (EU) 2016/679. With regard to the processing of personal data in service data, the Personal Protection Agency reiterates its conclusion on the liability obligations of the City of Reykjavík described in section IV. 3.2. When the City of Reykjavík decides to use a cloud service in primary school activities and direct students to use that system, the municipality is responsible for ensuring that the students' personal data is not used for other and incompatible purposes than those specified for the processing, cf. Number 2. Paragraph 1 Article 8 Act no. 90/2018 and point b of paragraph 1. Article 5 of regulation (EU) 2016/679. It also applies to the processing of personal data in service data. In this regard, the City of Reykjavík must assess whether individual processing elements, in connection with the processing of service data, are compatible with the purpose that is the prerequisite for the collection of personal information in the beginning, in accordance with paragraph 4. Article 6 of regulation (EU) 2016/679. The fact that Google sets out the purpose and methods of processing service data does not absolve the City of Reykjavík from that responsibility. From the aforementioned provisions, it also follows that the processing of personal information in service data, for other and incompatible purposes than the one behind the collection of the information, cannot be considered authorized on the basis of Article 9. Act no. 90/2018 and paragraph 1 Article 6 of regulation (EU) 2016/679. From Google's privacy policy for cloud services (i.e. Google Cloud Privacy Notice), it is clear that personal information is collected in service data for purposes other than providing the cloud service and technical support in connection with it, e.g. to refine the Service and other services used by customers and introduce new functionality to customers and related services. It is also clear, according to Google's terms of consent for the processing of personal information in the student system (i.e. Google Workspace for Education School Consent), that the company collects e.g. information about the location of devices as determined by different technologies, i.e. on m. IP address, GPS and other sensors, in order to provide basic services in the system. However, it is not clear how this information is used for that purpose, and the City of Reykjavík has not taken an independent position on whether its processing is necessary for the purpose that the municipality has specified for the processing of personal information in the student system. In view of all the above, it is the conclusion of the Data Protection Authority that the City of Reykjavík has not ensured that the personal data of the municipality's primary school students in the Google student system is not processed for other and incompatible purposes than those that the municipality has specified for the processing of personal data in the system and which can be derived from the municipality's projects according to law no. 91/2008 on primary schools, cf. Number 2. Paragraph 1 Article 8 Act no. 90/2018 and point b of paragraph 1. Article 5 of regulation (EU) 2016/679, cf. and paragraph 4 Article 6 of the regulation. 4.2 Data averaging and minimization Personal data must be sufficient, appropriate and limited to what is necessary based on the purpose of the processing, cf. Number 3. Paragraph 1 Article 8 Act no. 90/2018 and point c of paragraph 1. Article 5 of regulation (EU) 2016/679. In paragraphs 1 and 2 Article 24 of the Act and paragraphs 1 and 2 Article 25 of the regulation provides for built-in and default personal protection. According to the provisions on built-in personal protection, the responsible party shall take technical and organizational measures designed to enforce the principles of personal protection, i.e. on m. data minimization, and incorporate the necessary safeguards into the processing to meet the requirements of Regulation (EU) 2016/679. The provisions on default personal protection stipulate that the responsible party shall take appropriate technical and organizational measures to ensure that by default only the personal data necessary for the purpose of the processing is processed at any given time. This obligation applies to how much personal data is collected, to what extent it is processed, how long it is stored and access to it. In this regard, the aforementioned findings of the Personal Protection Agency will be confirmed, cf. Chapter IV. 3.2 and 4.1, which pertain to the City of Reykjavík's responsibilities regarding Google's processing of the municipality's elementary school students' personal information according to its own terms. Furthermore, the municipality will not be considered to have fulfilled its responsibilities relating to built-in and default personal protection according to the above-mentioned provisions, where appropriate organizational measures have not been taken to enforce the principles of personal protection and to ensure that the personal data of elementary school students is only processed to the extent is necessary for the stated purpose. However, it is clear from the City of Reykjavík's responses that the municipality has limited the processing of personal information in the Google student system with various optional settings and controls in the solution, cf. further discussion in chapter III. 5.2 above. With that in mind, we agree with the views of the City of Reykjavík that the municipality has taken various measures that limit the processing of personal information in the interests of built-in and default personal protection. 4.3 Retention period of personal information Personal data must be preserved in such a way that it is not possible to identify registered persons for longer than is necessary based on the purpose of the processing, cf. Number 5. Paragraph 1 Article 8 Act no. 90/2018 and point e of paragraph 1 Article 5 of regulation (EU) 2016/679. In other words, information may not be stored in a personally identifiable form for longer than is necessary in light of the purpose for which it was collected and processed. According to the liability obligation of paragraph 2 Article 8 of the Act and paragraph 2 Article 5 of the regulation, responsible parties must be able to demonstrate that this is followed. According to what has already been explained in chapter IV. 4.1 above, it is important that the purpose of the processing is clearly defined in order to be able to assess the need for preservation. The provisions on default personal protection also take into account how long personal data is kept, cf. discussion in the section above. It has already been concluded that the City of Reykjavík is considered to have specified the purpose of the processing in a sufficiently clear manner so that the necessity of individual processing operations can be assessed. The same will be considered to apply to the retention period of personal information. According to the available data and the City of Reykjavík's explanations, the principle is that student data in the Google student system is filtered and deleted at the end of the school year. However, some projects may be kept longer and in some cases until the end of schooling. In the assessment report of the Personal Protection Agency, a comment was made on the last-mentioned point, where it was not explained which cases justified a longer retention period. Against the respected objections of the City of Reykjavík, Personal Protection agrees with the point of view that the clearly stated purpose of the processing sets an adequate limit to the retention period. The City of Reykjavík's responses also state that the municipality has considered it necessary to revise the previous instructions on the preservation of projects, taking into account the position of the Data Protection Authority. Projects that do not fall under the definition of project-based learning will be removed at the end of the school year after the student/guardian has been given instructions and the opportunity to save the projects outside of the Google student system. The Norwegian Personal Protection Agency does not consider it necessary to comment on this arrangement, to the extent that the purpose of the processing is clearly defined so that the necessity of the preservation can be assessed in each case. Regarding Google's retention period for the personal information of elementary school students that the company processes according to its own terms, nothing else is known than what is stated in Google's privacy policy for cloud services (i.e. Google Cloud Privacy Notice), which states that the information is retained for as long as Google deems necessary in specified purpose, e.g. to prevent fraud and abuse. The Personal Protection Agency believes that it is the City of Reykjavík's responsibility, in accordance with the aforementioned findings, to obtain all information about the retention period of the municipality's elementary school students' personal information processed by Google and to take a clear position in this regard. 5. Privacy impact assessment If it is likely that the processing of personal data may entail a high risk for the rights and freedoms of individuals, in particular where new technology is used and taking into account the nature, scope, context and purpose of the processing, the responsible party shall have an assessment of the effects of the planned processing operations carried out on the protection of personal data before the processing begins, and one assessment may cover several similar processing operations that may entail similar risk factors, cf. Paragraph 1 Article 29 Act no. 90/2018 and paragraph 1 Article 35 of regulation (EU) 2016/679. With reference to the discussion in Chapter IV. 2., as well as to the fact that it is a complex technology, cloud services, which is applied in a new way, i.e. to provide lessons to school children, it is clear that the City of Reykjavík was obliged to carry out an assessment of the impact of processing operations on the protection of primary school students' personal information before processing in the system began, cf. Number 8. Article 3 advertisement no. 828/2019, cf. Paragraphs 1 and 2 Article 29 Act no. 90/2018 and paragraphs 1 and 4 Article 35 of regulation (EU) 2016/679. In addition, information about teacher feedback on projects or student progress is entered into the Google student system, according to the description of the City of Reykjavík, but it is mandatory to carry out an assessment of the effects of those processing operations, cf. Numbers 4 and 9. advertisement no. 828/2019. As stated in chapter II. 2. above, the City of Reykjavík revised the existing assessment of the impact on personal protection after the assessment began on February 25, 2022, and the new assessment is dated September 12, 2022. In this regard, it should be noted that an assessment of the impact on personal protection must be available before processing begins, which according to the City of Reykjavík's responses was on October 1, 2020, and that assessment, which was available to the City of Reykjavík when the assessment began, is available for review here. Responsible parties can use different methods when carrying out an assessment of the impact on personal protection, but according to section 84 of the preamble of the regulation, the origin, nature, characteristics and severity of the risks resulting from processing operations should be assessed in particular. According to paragraph 7 Article 35 of the regulation, the assessment must contain, as a minimum, a systematic description of the planned processing operations and the purpose of the processing (paragraph a of the provision), an assessment of whether the processing operations are necessary and moderate compared to their purpose (paragraph b), an assessment of the risk to the rights and freedoms of data subjects persons (section c) and a description of the measures planned to be taken against such risks, including protective measures, security measures and arrangements for ensuring the protection of personal data (section d). A detailed article is made for the City of Reykjavík's assessment of the impact on personal protection due to the processing of primary school students' personal information in the Google student system, from June 13, 2022, in chapter II. 2. Only the items that the Personal Protection Authority does not consider to be compatible with the minimum requirements of Article 35 will be covered here. of regulation (EU) 2016/679, cf. Paragraph 1 Article 29 Act no. 90/2018. According to respected previous results, cf. Chapter IV. 3.2 and 4.1 above, the Personal Protection Authority believes that the City of Reykjavík's assessment has not met the conditions of paragraph 7.a. Article 35 of the regulation, where processing operations are not properly accounted for according to Google's terms, although the assessment states that Google processes certain service data as part of the operation and management of the cloud solution. The City of Reykjavík's explanation states that the municipality cannot state how Google processes personal information in service data, as the municipality is not the party responsible for the processing. Personal protection confirms that the responsibility of the City of Reykjavík includes, among other things, to have an overview of the collection and processing of primary school students' personal information that takes place in the Google student system, since the municipality made the decision that its students should use the system and is responsible for ensuring that their personal information finds its way there. A systematic description of the planned processing operations and the purpose of the processing is also a prerequisite for the responsible party to be able to comprehensively assess the next part of the assessment, i.e. whether processing operations are necessary and moderate in relation to their purpose. It follows that the City of Reykjavík's assessment also does not meet the conditions of point b of paragraph 7. Article 35 of the regulation. When evaluating according to that provision, e.g. to reveal that certain processing operations are not necessary to achieve the intended goal and do not fit within the processing authorization that is based on it. Finally, Personal Protection believes that the assessment does not adequately assess the risk to the rights and freedoms of elementary school students, cf. point c, paragraph 7 Article 35 of the regulation. In that connection, points 84 and 90 of the preamble of the regulation, as well as point 75, can be taken into account. Taking into account the functionality of the Google student system and the terms that apply to the system, the Personal Protection Authority believes that the risks associated with Google's access to students' personal information for processing for its own benefit and the transmission of personal information to the United States should have been assessed in particular. Taking into account all of the above, it is the conclusion of the Personal Protection Agency that the City of Reykjavík's assessment of the impact on personal protection does not meet the minimum requirements of Article 35. of regulation (EU) 2016/679, cf. Paragraph 1 Article 29 Act no. 90/2018. 6. Advance consultation With reference to the City of Reykjavík's comments regarding the fact that Personal Protection did not comply with the municipality's request for prior consultation regarding the processing in question, it is considered that according to paragraph 1. Article 30 Act no. 90/2018, cf. Paragraph 1 Article 36 of Regulation (EU) 2016/679, the responsible party shall consult with the Personal Protection Authority, if an assessment of the impact on personal protection indicates that processing will entail a high risk, before processing begins. As mentioned earlier, the comment of the personal protection representative of the City of Reykjavík to the above-mentioned assessment of the impact on personal protection states that he does not consider it a reason to propose that prior consultation be sought regarding the processing of personal information discussed therein. It is also known that the City of Reykjavík decided not to seek prior consultation before the processing of personal information began in the Google student system, in accordance with the aforementioned provisions, but did so with its request to the Data Protection Authority on September 26, 2022, almost two years after the municipality's agreement with Google on the use of the student system came into effect on October 1, 2020. In this respect, the Personal Protection Agency considers it necessary to emphasize the importance of careful work at the beginning and that consultation is sought with the organization before the processing of personal data begins, if it is believed that the processing involves a high risk for the data subject and if there is doubt that it can be is to reduce the risk with adequate measures by the responsible party. In this regard, the views outlined in Chapter IV are emphasized. 2. on the processing of children's personal information during school work. The nature of the information processed in the Google student system is also to be considered, i.e. teacher's feedback or assessment of students' assignments and progress and other personal information concerning the students' purely private affairs, e.g. in their assignments, communication with teachers and status reports, as well as the risk of sensitive personal information being recorded in the system, according to the City of Reykjavík's assessment of the impact on personal protection. Taking into account individual provisions in Google's terms, e.g. on the processing of information about the location of devices as determined by different technologies, i.e. on m. IP address, GPS and other data, for the general purpose of providing basic services, is further to be considered in the statements of the City of Reykjavík in the explanations presented. It states, more specifically, that the municipality has no power, facilities or rights to provide information about all processing of primary school students' personal information in the Google student system, that the municipality had no involvement in negotiating the unilateral terms of Google, where further processing of primary school students' personal information is described, and that it is a fact, i.a. according to Google's statements, it is not possible to provide any cloud service, of the type in question here, without processing information, such as those defined as service data in Google's terms. The Norwegian Personal Protection Authority believes that everything that has been outlined here should have led to the City of Reykjavík consulting with the Personal Protection Authority before the municipality made the decision that the personal data of elementary school students would be made available to Google for processing beyond the municipality's instructions. 7. Transfer of personal information to third countries Transfer of personal information to third countries, i.e. countries outside the European Economic Area, is only permitted if the provisions of Chapter V of Regulation (EU) 2016/679, which are intended to ensure adequate protection when sharing personal information to third countries or international organizations, are complied with, cf. Article 44 of the regulation. The referenced provision also states that all the provisions of the chapter must be applied in such a way as to ensure that the protection of individuals guaranteed by the regulation is not undermined. According to paragraph 1 Article 45 of the regulation, the transmission of personal data to third countries or international organizations is permitted if the Commission has decided that the third country, territory or one or more specified sectors within the relevant third country or the said international organization guarantees adequate protection. Such sharing does not require a special authorization. If there is no equivalence decision according to Article 45. of the regulation, the controller or processor can only share personal data with a third country if he has taken appropriate protective measures and under the condition that there are enforceable rights and effective legal remedies for registered persons, cf. Paragraph 1 Article 46 of the regulation. According to clause 10.1 in the existing processing agreement between the City of Reykjavík and Google, processing of personal data can take place in the countries where Google or the company's sub-processors have facilities. From the documents of the case, it is also clear that Google and some of the company's subprocessors have facilities in the United States. The City of Reykjavík's explanation states that Google cannot confirm whether data processed in the Google student system is stored or otherwise processed in the United States. In view of the above, the Personal Data Protection Authority does not rule out that the personal data of elementary school students in the city of Reykjavík in the Google student system is processed in the United States. An equivalence decision regarding the transfer of personal data from Europe to the United States was approved by the European Commission on July 10, 2023. The transfer of personal data to the United States therefore did not fall under the aforementioned Article 45. of the regulation at the time when this evaluation began and until July 10 last. According to the existing processing register and processing agreement, at this time, standard contractual terms were relied on for the sharing of personal information to third countries, cf. point c, paragraph 2 Article 46 of regulation (EU) 2016/679. In addition, the City of Reykjavík has referred to Google's descriptions of the additional protection measures that are in place due to the transfer of personal information to third countries. In the judgment of the European Court of Justice from July 16, 2020 in case no. C-311/18 (Schrems II) it is stated that when sharing personal data to third countries, protection comparable to that provided for by the General Personal Protection Regulation must be ensured, regardless of which provision of Chapter V of Regulation (EU) 2016/679 is relied upon, but such follows from Article 44. of the regulation. If the responsible party relies on standard contract terms when transferring personal information to a third country, it must therefore ensure in practice that the terms provide comparable protection to what the general privacy regulation stipulates. When deciding whether to comply with such provisions, responsible parties must assess whether the receiving country provides adequate protection. In that regard, the judgment of the European Court of Justice specifically mentioned that in the United States, regulatory agencies have broad powers, according to the law, to use personal information transferred from the European Union to the United States without having to take care of the privacy of individuals. It can also be deduced from the judgment that standard contractual clauses could not have prevented such access by foreign regulatory bodies, and therefore responsible parties could have had to implement additional protective measures alongside the standard contractual terms to ensure in practice that the terms provided comparable protection. In the EDPB recommendation from 18 June 2020 no. 1/2020 on measures for the transfer of personal data out of the country (e. Recommendations on measures that supplement transfer tools to ensure compliance with EU level of protection of personal data) contains more information on what data controllers must take care of when transferring personal data to third countries, among other things taking into account the above judgment of the European Court. With regard to the possible access of foreign supervisory bodies to personal information communicated to third countries, the recommendations state that additional contractual and organizational measures are generally not sufficient to prevent such access, but technical measures, such as encryption, must also be implemented. The recommendations also emphasize that encryption keys are handled responsibly and by trusted parties within the European Economic Area or other countries that ensure adequate protection of personal information. From Google's descriptions, it is clear that personal data is encrypted in the Google Student System database, as well as in transit. Google key management service (KMS) stores the encryption key, but customers also have the option to manage the storage of the key for certain services. The City of Reykjavík has not demonstrated that the municipality has taken advantage of that option. The Norwegian Data Protection Agency therefore believes that it should be assumed that the encryption key was kept by Google KMS, which is owned by the same group of companies that handled the hosting and encryption of personal information on behalf of the City of Reykjavík. In the opinion of the Personal Protection Authority, that arrangement significantly reduces the protection value of the encryption. Then it will not be seen that other technical measures, e.g. access controls implemented in the Google student system have been able to prevent access by foreign regulatory bodies to personal information shared with third countries. Taking into account what has been discussed here, the Data Protection Authority believes that the City of Reykjavík has not demonstrated that it has taken adequate additional protection measures in connection with the transfer of personal information to the United States, until July 10, 2023. Therefore, the municipality has not met the conditions of Article 46. regulation (EU) 2016/679, and the transmission of personal information to the United States, based on the municipality's processing agreement with Google, was therefore contrary to Article 44. of the regulation. 8. Summary of results Personal data protection has come to the conclusion that the processing of primary school students' personal information in the Google student system by the city of Reykjavík was not in accordance with the provisions of the personal protection legislation. First of all, the City of Reykjavík is considered not to have fulfilled its liability obligations when an assessment was made and a decision was made to use Google as a processor of said processing, cf. Article 8, Article 23 and paragraph 1 Article 25 Act no. 90/2018 and Article 5, Paragraph 1 Article 24 and paragraph 1 Article 28 of regulation (EU) 2016/679. Secondly, the processing agreement between the City of Reykjavík and Google is considered not to meet the conditions of paragraph 3.a. Article 28 of the regulation, cf. Paragraph 3 Article 25 of the law. Thirdly, the City of Reykjavík is considered not to have fulfilled its obligations relating to the personal data of the municipality's primary school students not being processed for other and incompatible purposes than those specified by the municipality for the processing, cf. Number 2. Paragraph 1 Article 8 Act no. 90/2018 and point b of paragraph 1. Article 5 of regulation (EU) 2016/679, cf. and paragraph 4 Article 6 of the regulation. Fourthly, the City of Reykjavík is considered not to have fulfilled its obligations relating to the minimization of data and built-in and default personal protection according to section 3. Paragraph 1 Article 8 and paragraphs 1 and 2 Article 24 Act no. 90/2018, cf. c-point 1. paragraph Article 5 and paragraphs 1 and 2 Article 25 of regulation (EU) 2016/679. Fifthly, the assessment of the impact on personal protection made by the City of Reykjavík as a result of the processing does not meet the minimum requirements of paragraphs a-c of paragraph 7. Article 35 of regulation (EU) 2016/679, cf. Paragraph 1 Article 29 Act no. 90/2018. Sixth, the City of Reykjavík did not ensure the safe transfer of personal information to the United States, cf. Article 46 of Regulation (EU) 2016/679, and therefore violated the 44th Regulation. V. Application of orders and administrative fines 1. Instructions In accordance with this conclusion, and with reference to item 4. Article 42 Act no. 90/2018, cf. point d, paragraph 2 Article 58 Regulation (EU) 2016/679, it is hereby proposed to the City of Reykjavík to bring the processing of primary school students' personal information in the Google student system into compliance with the legislation. In this regard, the Personal Protection Agency would like to highlight the issues that the organization considers particularly important to consider in order to allow the municipality to continue using the Google student system. It should be noted that in view of the equivalence decision of the European Commission, dated 10 July 2023, regarding the transfer of personal information from Europe to the United States, it is not considered to direct instructions to the City of Reykjavík regarding the safe transfer of personal information to the United States. Personal Protection does not consider it a reason to order the suspension of processing in the Google student system if the City of Reykjavík considers it possible to bring the processing into compliance with the privacy legislation according to the following: 1. The City of Reykjavík maps the processing of personal information of the municipality's elementary school students that actually takes place in the Google student system and for what purpose. It applies to all processing operations, whether they are carried out by the municipality or Google. 2. The City of Reykjavík documented its assessment of individual processing operations, according to point 1, in accordance with the provisions of points 2 and 3. Paragraph 1 Article 8 Act no. 90/2018 and points b and c of paragraph 1. Article 5 of regulation (EU) 2016/679, cf. and paragraph 4 Article 6 of the regulation, i.e. on m. assessment of the cases in which Google can make independent decisions in relation to processing, which takes place according to the municipality's instructions, and to what extent. 3. The City of Reykjavík makes appropriate changes to the processing agreement with Google in accordance with the provisions of Article 28. of regulation (EU) 2016/679, cf. Paragraph 3 Article 25 Act no. 90/2018. In the processing agreement, it is specified in a clear and transparent manner which processing is agreed upon and all doubts are removed that processing other than that which the City of Reykjavík gives instructions for and is in accordance with the specified purpose, will not take place. 4. The City of Reykjavík updates its assessment of the impact on personal protection in accordance with points 1 and 2 and in accordance with paragraph 7. Article 35 of regulation (EU) 2016/679 and paragraph 1 Article 29 Act no. 90/2018. Confirmation that these instructions have been complied with must be received by Personal Protection no later than February 29, 2024. 2. Administrative fine According to paragraph 1 Article 46 Act no. 90/2018, Personal Protection may impose an administrative fine on any responsible party that violates any of the provisions of the regulation listed in paragraphs 2 and 3. the same articles of law. Fine according to paragraph 2 Article 46 of the law can amount to anywhere from ISK 100,000 to ISK 1.2 billion or up to 2% of a company's total annual turnover worldwide, when there has been a violation of, among other things, Articles 28 and 35 of regulation (EU) 2016/679. Fine according to paragraph 3 Article 46 of the law can range from ISK 100,000 to ISK 2.4 billion or up to 4% of a company's total annual turnover worldwide, when articles 5, 44 and 46 have been violated, among others. of the regulation. Taking into account the implementation in the countries bound by the regulation, it is clear that the fines imposed on public entities are much lower than those imposed on large companies with a large turnover. It is also clear that although it is possible to be fined for many offences, according to both paragraphs 2 and 3 Article 46 of the law, in one and the same case, the combined fine for the offenses would never be higher than according to the upper limit of the fine framework of paragraph 3. of that article. When deciding whether an administrative fine should be applied and what its amount should be, the factors listed in paragraph 1 shall be taken into account. Article 47 Act no. 90/2018, cf. Paragraph 2 Article 83 of regulation (EU) 2016/679. Taking into account those provisions, the Personal Protection Agency believes that the following points will be assessed for the City of Reykjavík's compensation when deciding whether to impose an administrative fine and what its amount should be: 1. There is no evidence that damage has occurred as a result of the processing of personal information of elementary school students in the city of Reykjavík in the Google student system, cf. Number 1. Paragraph 1 Article 47 of the Act and point a of the 2nd paragraph Article 83 of the regulation. 2. The City of Reykjavík has responded to the Data Protection Authority's inquiries in handling the case in a clear and concise manner, cf. Number 6. Paragraph 1 Article 47 of the Act and f- and point 2. para. Article 83 of the regulation. 3. After the audit began, the City of Reykjavík has revised the procedure in relation to the retention period of personal information in the Google student system and the assessment of the impact on personal protection due to the processing and requested prior consultation with the Data Protection Agency, cf. Number 6. Paragraph 1 Article 47 of the Act and point f of the 2nd paragraph Article 83 of the regulation. The Personal Protection Agency also believes that the following points lead to an administrative fine being imposed on the City of Reykjavík and have the effect of increasing it: 1. The City of Reykjavík's offenses are considered serious considering that they concern the personal data of children in school activities, cf. Numbers 1 and 7. Paragraph 1 Article 47 of the Act and points a and g of paragraph 2. Article 83 of the regulation. Children's personal information enjoys special protection under the personal data protection legislation, as they may be less aware of the risks, consequences and relevant protection measures and their rights in relation to the processing of personal data, cf. Section 38 of the preamble of the regulation. It is also necessary to consider what options primary school students actually have to refuse or limit the processing of their personal information in an information technology system that their school has decided to use. In this respect, it is imperative that the municipality has an overview of the processing of personal information that takes place in the system it chooses to use and does not lose control of the children's personal information. 2. The City of Reykjavík's violations are considered serious considering the nature of the primary school students' personal information that is processed in the Google student system, cf. Numbers 1 and 7. Paragraph 1 Article 47 of the Act and points a and g of paragraph 2. Article 83 of the regulation. Firstly, the system processes information about teacher feedback on projects or student progress. If such processing is likely to entail a high risk for the rights and freedoms of individuals, according to the provisions of Sections 4 and 9. Article 3, cf. Articles 1 and 2 advertisements Personal protection no. 828/2019 on records of processing operations that always require an assessment of the impact on personal protection. Secondly, it must also be considered that the personal information contained in student assignments, student-teacher communication and status reports is personal information about the students' purely private affairs and generally there are stricter requirements regarding the processing of such information in accordance with the principles of personal protection, according to Paragraph 1 Article 8 Act no. 90/2018 and paragraph 1 Article 5 of regulation (EU) 2016/679. Personal data protection has based on the fact that stricter requirements should be made for the processing of personal information about purely private matters or information of a sensitive nature in its previous conclusions, i.a. in the institution's ruling from May 19, 2003, in case no. 2003/103, which is referred to in the institution's decision from May 3, 2022, in case no. 2021040879. Of the comments to Article 9. bill that became law no. 90/2018 it can be concluded that it was not the intention of the legislator to deviate from previous practice in this regard. Thirdly, it is stated in several places in the assessment of the City of Reykjavík on the impact on personal protection due to the processing in question that there is a risk that sensitive personal data, as defined in section 3. Article 3 Act no. 90/2018 will be registered in the system. Regarding measures in this regard, the assessment is not based on the fact that it is possible to rule out that sensitive personal data will be recorded in the system, but that efforts should be made to reduce the likelihood of this happening. Then, in the comments of the assessment, it is specifically asked whether there is anything to protect particularly sensitive personal information if it is registered in the system and it is pointed out that it is difficult to expect children to follow the rule of not registering such information. Although there is no evidence that sensitive personal data of elementary school students in the city of Reykjavík was actually registered in the Google student system, it is clear from the above that the municipality is fully aware of the risks involved. The risk associated with the registration of information according to the above is even greater when looking at the processing of personal information carried out by Google according to its own terms. With all this in mind, the City of Reykjavík's duty of care and responsibility was considerably greater than otherwise. 3. There was a high risk of personal data being transferred to the United States and processed there without appropriate protective measures being taken, cf. judgment of the European Court of Justice from July 16, 2020 in case no. C-311/18 (Schrems II), as US regulatory agencies, at the time in question, had broad statutory powers to use personal data transferred to the US, without having to protect the privacy of the individuals concerned. An offense in this regard is therefore considered serious, cf. Numbers 1 and 4. Paragraph 1 Article 47 Act no. 90/2018 and points a and d of paragraph 2. Article 83 of regulation (EU) 2016/679. 4. The City of Reykjavík's violations are considered extensive considering that approx. 8,500 elementary school students in the municipality used the Google student system in the school year 2021-2022, cf. Number 1. Paragraph 1 Article 47 of the Act and point a of the 2nd paragraph Article 83 of the regulation. Taking into account all of the above and taking into account the previous findings of the Personal Protection Agency that relate to the use of information technology systems in the work of elementary schools, it is the conclusion of the organization that an administrative fine should be imposed on the City of Reykjavík. She thinks 2,000,000 ISK is reasonably certain. Decisions: The processing of primary school students' personal information in the Google student system by the City of Reykjavík is not compatible with Act no. 90/2018 on personal protection and processing of personal data and regulation (EU) 2016/679. It is suggested that the City of Reykjavík bring the processing in line with the legislation. Confirmation that these instructions have been complied with must be received by Personal Protection no later than February 29, 2024. An administrative fine of ISK 2,000,000 is imposed on the City of Reykjavík. The fine must be paid to the treasury within one month from the date of this decision, cf. Paragraph 6 Article 46 Act no. 90/2018 on personal protection and processing of personal information. Privacy, November 28, 2023 Ólafur Garðarsson chairman Árnína Steinunn Kristjánsdóttir Björn Geirsson Vilhelmína Haraldsdóttir